From patchwork Mon Aug 19 19:04:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47953 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6CE7AC5472E for ; Mon, 19 Aug 2024 19:04:44 +0000 (UTC) Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com [209.85.219.51]) by mx.groups.io with SMTP id smtpd.web10.1073.1724094275628538552 for ; Mon, 19 Aug 2024 12:04:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=vDeYlmUX; spf=pass (domain: linaro.org, ip: 209.85.219.51, mailfrom: javier.tia@linaro.org) Received: by mail-qv1-f51.google.com with SMTP id 6a1803df08f44-6bf6dedbfe1so27997076d6.3 for ; Mon, 19 Aug 2024 12:04:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094274; x=1724699074; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PNsnFRtx0GTlzGiTySEEkikY6bEysngPXY/quIReZh4=; b=vDeYlmUXvdQ8KwSL03RouJB7eR+ctsGcDRqhtzxH+Z/pVcCsWvRMbJz7hr0Lu2Ka7m 8Ov3gvlX5F2cWhQBilaq+/3p4TJdNcENthocTJvETFw10F5EzQjBAxWwDfXZDRD0ir49 lbfVCmAirzp6GZLff3Lhcfbn9noNmLlgUggG6SQocJmAX29dkZYEtzz2+xzK7Tqznzrs LmbcVZ8ZYvMqRkfj7gjoLF1Q4hbA2J+9Hr81Ixxc9XuOUUazVOYQEKXV05UYFVHhXt7r erjN9BdHc2VhsRHGfHWOTfmrqzJn8dgJ3QjdtCKIKIEv2LAIWkjZe69eKJTZZ358yQFi OA7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094274; x=1724699074; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PNsnFRtx0GTlzGiTySEEkikY6bEysngPXY/quIReZh4=; b=V1+bwzqiltIfXuZUsW/+9kd6JD0pH8TjKi7j3mnbllO55RfCG5EEAMw0aNT/DjbuDS aAwTyTK9+Kw5NFL693DOkBJOPPcBjfDvWrkp7tHGGhG+JOQkLEwBT0O4ExzUdoSjmqDe 2juRj4V9BhRt+4AuIVvJ6fYV0KSR1hlq+PMeDhpG5FyWMzmgh4HqboUYIzWI1tNA/Yqd 60NtsOVHxpfDEk2BwCj6B4xO74Dq4qD0csllUi5ElVGpIEZL+XEHhkycuLORZVlfzx7R dyalGhtAJhYpz1nd2jHxvmUTnYHU3sOPo0idK3ma2T+EGXEjPPWbCbkLsf9lvb6+NbqK KwBw== X-Gm-Message-State: AOJu0YxNfGBIjVp/PYfq4ROtuTmwIYnvfENetBknkvI5BdEM6GvzCcO2 krbwUfac3wJ+6VSfvY6NKJWAZZWnsMe5mlwTXl1tDtOyMcJj/3W8AimIVIYpdhMsptqaxs19Aej / X-Google-Smtp-Source: AGHT+IH/tQag3z1K69EY6szuGGxrisbwrg3ocn7FNPMaO3EpcnpgmQLoTZ5ZmZopPhdXDsLILvANqw== X-Received: by 2002:a05:6214:3d07:b0:6b5:e895:82f0 with SMTP id 6a1803df08f44-6bf7ce5f9c0mr159814596d6.43.1724094274545; Mon, 19 Aug 2024 12:04:34 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:34 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 01/14] qemuarm64-secureboot: Introduce uefi-secureboot machine feature Date: Mon, 19 Aug 2024 13:04:16 -0600 Message-ID: <20240819190429.2897888-2-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5967 Signed-off-by: Javier Tia --- meta-arm/conf/machine/qemuarm64-secureboot.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf index 55c4cab4..2669be0c 100644 --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -23,3 +23,4 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" MACHINE_FEATURES += "optee-ftpm" +MACHINE_FEATURES += "uefi-secureboot" From patchwork Mon Aug 19 19:04:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47948 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2331FC3DA4A for ; Mon, 19 Aug 2024 19:04:44 +0000 (UTC) Received: from mail-qv1-f42.google.com (mail-qv1-f42.google.com [209.85.219.42]) by mx.groups.io with SMTP id smtpd.web10.1075.1724094276802937628 for ; Mon, 19 Aug 2024 12:04:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=stPNV4HR; spf=pass (domain: linaro.org, ip: 209.85.219.42, mailfrom: javier.tia@linaro.org) Received: by mail-qv1-f42.google.com with SMTP id 6a1803df08f44-6bf7a2035d9so35723136d6.1 for ; Mon, 19 Aug 2024 12:04:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094276; x=1724699076; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=O7LQHgRISQHcfF0QLO2liZofRFwc99d3sVsZckNqcRY=; b=stPNV4HRN7RutA1L+sdsO8bJ3yERNYbc5Dn55SUiNqiTAuvmIueCOKrZzm2qFytrDo yPIKSzZwbeBb2aqWxAG1yV4sUSNWHmOEXT4SkyIUOXA5GPceyvtgMTaxtpbC+tv+LnKg 2D8hFWpXBZhbdv3Lf8pd6FRqF9nH9X4j8hV9bIeQ7thoYJLZ1BAmEl1G98cg2TjDE20o F5+MNAYtrqItinqgr9feko7eqAnmHYYweWmqQk/th5tD9jaoj+QyG8dhSqXP0QXSBH9P R/WY4VPUs16wE2vlCIg+PtgqYomY7gE+Z1CgVGkJKxJnAjV1mfXdwYaeLp38Wyw/E96n cgdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094276; x=1724699076; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=O7LQHgRISQHcfF0QLO2liZofRFwc99d3sVsZckNqcRY=; b=wIa7W0byjSExTYAgfMkSGBHxfcdLy/wK/Qkr4D31gEdhQG4nLmtI94+US8sz2HGLqH OKw+CMtoxvKxLwzAKRMQYjN1PlTyoZBbTD5ma2lYedvZd4R4hHbGVFVGY7F2Tgco8o8y geU/GJo0EY0BkRSOf6OGzGK2kw3BW/TAIlBDDyqfhpc8q1n+U7N9hSWTGU30WGQB3P7B 7/aLWFxf2nMXhggOlzBN15VV3Fo+aPZlF2KG18cVMtY5AmPF+iA8ZTK5H7P1syG8OFZA gpjswx/vzNaJhNVk89KlG/10J4n4OEe4r0n/miNVGu3+A8s8XjVU15oPNupKVqpEOAjp dK9Q== X-Gm-Message-State: AOJu0YzVBjImRe4ni4DVAySMmeyKjvLieAmoXmERgYYdjPS2z56WoxY6 iE+i6SXiwGeAgDpWk0sFSBY15zH2B1sbCrJlcfHEXzosJzFKeuM7p3YzTfJOr4rXYZUhEKPc4Yi 7 X-Google-Smtp-Source: AGHT+IH/Ay6S5h4+LNykjTN6ubQcqYXcpLr9Lf90N09Upz4088EtasmjBYncF55sYTykdqDGfhUHfQ== X-Received: by 2002:a05:6214:f0e:b0:6b5:2aa3:3a7f with SMTP id 6a1803df08f44-6bfa8a66706mr9524636d6.20.1724094275718; Mon, 19 Aug 2024 12:04:35 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:35 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 02/14] core-image-base: Use UEFI layout disk partitions Date: Mon, 19 Aug 2024 13:04:17 -0600 Message-ID: <20240819190429.2897888-3-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5968 - Use efi-disk-no-swap.wks.in disk definition to add expected UEFI disk partitions configuration. Signed-off-by: Javier Tia --- .../recipes-bsp/images/core-image-base-uefi-secureboot.inc | 1 + meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend | 1 + 2 files changed, 2 insertions(+) create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc new file mode 100644 index 00000000..351e9030 --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -0,0 +1 @@ +WKS_FILE = "efi-disk-no-swap.wks.in" diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend b/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend new file mode 100644 index 00000000..1f6dbd24 --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'core-image-base-uefi-secureboot.inc', '', d)} \ No newline at end of file From patchwork Mon Aug 19 19:04:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47952 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C327C5472D for ; Mon, 19 Aug 2024 19:04:44 +0000 (UTC) Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46]) by mx.groups.io with SMTP id smtpd.web10.1076.1724094278213070125 for ; Mon, 19 Aug 2024 12:04:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=yeUOeFFB; spf=pass (domain: linaro.org, ip: 209.85.219.46, mailfrom: javier.tia@linaro.org) Received: by mail-qv1-f46.google.com with SMTP id 6a1803df08f44-6bf790944f1so22920216d6.2 for ; Mon, 19 Aug 2024 12:04:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094277; x=1724699077; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=i3FMcrxoQMEjfxeuNGxbNN6+IFf/qUnBbfx9yY/tZpY=; b=yeUOeFFBliWw+KM1+Gb2k9OFhQRmIyV4bGUgzxfarxews6FX0e5CDNgYbXHt/H9ciT xfZtKR6oRqYNJ08bh77Zkzg3+OMOTOGQ8VMAS7nN9Vr36ZaNzrSJzI+7823ob/hWT3p6 nO2bP/1W4K/34NDhEng6UmfUyub6l0xqJhYuCmp748ujGJB3+sRzzmBYgZDlQXxhKaja xne3GaIdxs4A1H2CV8EJvbRgNg84SnAwIpjlRcbWibvJeBDFTkWAvUMm+0w0jJ7tpuMb kmaVzbQXMwJ1BZNBbMv/8OfXJArluM7UwZ0c8FB5gMWfG0pRTFGXJ1vKnVbkG5CjQCyK 7Yug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094277; x=1724699077; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=i3FMcrxoQMEjfxeuNGxbNN6+IFf/qUnBbfx9yY/tZpY=; b=Kv3GD4Fc9gVGjXo9KLdmGtJ2par8beqt4BlU1g2RQXsbYTAahUXNdSD2E0tvnp2eLI JwctSwQrXrtu5g7QoIMFUMpRTHfeUDkg35M5K0Y9BdsYBJruFagMw9UKNuu9oHpt0s08 J1Xfut4xr2op6u5933Z/0+7JuAFzKld5cksxf7VTDVQ5CukpwryU3PkyuDHNGLNc5F3u +2zoftbMRe0CBR1j6aa0EAVQPAHULSzePY2KFwCpIy8lvMiWyYFN2sm2MSojRV+eFxi6 4cde32puCAyLiCC8c98oP+xOnKwjbnGMXAox4ODe5ET8KBmF9Tr70cmr/gdBpsrJdO6d J74g== X-Gm-Message-State: AOJu0Yxrc9UnHZ+H1kIBxyEZJW4t4jn+IxpCwp+Y9pT+KjM2wlrTrsrv NlBdvFnBwFv+z2cbL1LzIc8eX3CeInesT9P9RPcVHX/u54/6FYBIgRp+JMD+3qomIF5/b3aJ7yS F X-Google-Smtp-Source: AGHT+IGZF9fVdgO1nmOOkVCVUZmhyZo0h3gIuD2vV2JDhc03EC1Lz2fhle20Oegl5KeBEjlMZFlUQA== X-Received: by 2002:ad4:4448:0:b0:6bf:7d52:6359 with SMTP id 6a1803df08f44-6bf7d5267a9mr121244766d6.47.1724094277062; Mon, 19 Aug 2024 12:04:37 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:36 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 03/14] layer.conf: Introduce UEFI_SB_KEYS_DIR Date: Mon, 19 Aug 2024 13:04:18 -0600 Message-ID: <20240819190429.2897888-4-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5969 UEFI_SB_KEYS_DIR saves UEFI keys path. To avoid security issues, UEFI keys are not provided and they can be generated by gen_uefi_keys.sh script. Signed-off-by: Javier Tia --- meta-arm/conf/layer.conf | 2 ++ meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf index 9e9c9dbd..2854dd69 100644 --- a/meta-arm/conf/layer.conf +++ b/meta-arm/conf/layer.conf @@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet" addpylib ${LAYERDIR}/lib oeqa WARN_QA:append:layer-meta-arm = " patch-status" + +UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys" \ No newline at end of file diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh new file mode 100755 index 00000000..fc7f25c9 --- /dev/null +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh @@ -0,0 +1,35 @@ +#/bin/sh + +set -eux + +#Create PK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth + +#Create KEK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth + +#Create DB +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth + +#Create DBX +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl +sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth + +#Sign image +#sbsign --key db.key --cert db.crt Image + +#Digest image +#hash-to-efi-sig-list Image db_Image.hash +#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth + +#Empty cert for testing +touch noPK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth + From patchwork Mon Aug 19 19:04:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47951 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41679C52D7C for ; Mon, 19 Aug 2024 19:04:44 +0000 (UTC) Received: from mail-qv1-f49.google.com (mail-qv1-f49.google.com [209.85.219.49]) by mx.groups.io with SMTP id smtpd.web10.1077.1724094279526481953 for ; Mon, 19 Aug 2024 12:04:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=qos3LyxT; spf=pass (domain: linaro.org, ip: 209.85.219.49, mailfrom: javier.tia@linaro.org) Received: by mail-qv1-f49.google.com with SMTP id 6a1803df08f44-6bf775d1bdfso24270276d6.1 for ; Mon, 19 Aug 2024 12:04:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094278; x=1724699078; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SLHu6PRlZnCzW/rU1UEj78mshvoxk7WjoojsTwAZ3/I=; b=qos3LyxTTJ4WPILZPSPWysvFIz48fHhtHdq2miHYcn+O2BN78/ARXIvE0yUMJWgLpR YV+tyhU5lsJKpP3AiM2XRNqbLGzSiuB4jArQbwPCsj8hNTZEfQx7ZQkTkAZO6kNG5x7K 2jIphfr6rZ1Eq7oA91lLxZnWhtau26Vy+wxqrTGKMYK8OE2rXrra/87THTovcLaOeDsE DBtY/HzrIhuEOraprO0Ge9OfxY4SqFA91aNfouxVSmTBlN57KaUHCSf5KuAOA4j55vhx evQ+8Le44ga0+SJhiq5fBalveUEpX2F9e1ruz54x5M0dzeDwsyQNltSwexDqwRMXjqFL b0KA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094278; x=1724699078; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SLHu6PRlZnCzW/rU1UEj78mshvoxk7WjoojsTwAZ3/I=; b=BWmKCE6TBVtl0ww1WCA52cmx77z+nXZ8aZpIq8H3cYvSOHzYmBSNuBGi4ivs330QPu pxOIAm+cgemI2QQxbxMm4BuYTtHTDP7Gk+qa58r4xH+H0ik17yRMOcOHW+aNrZI3d2RJ /eDct7ZcBOsBG+MSg5ctKSyEB7lO0XTgT5v1MbyMP3dfAzSVYAKotEzfZoW9ePTOi1nB 7cLwJZagvM0L/MALA/cPkKNWkS6WcuW1QOpyxAbrgMaC6fmn6g/DAKeGVgaQSpCGrA80 pF6V8+12r5sGbZW2Qdlbvc6SPjgdeG1t0NAV8F8e9shGbqD29IhtYqXXaZy55QGP7o/5 22zw== X-Gm-Message-State: AOJu0Yx2U4ZvbI0Tplk+GuwGJ7rPZOUaJ5uaU/FOQ8IYB06IPueqwejr 8fX+u9Fq+Ub2hx04NIdSw39kV2uy8suIblbBKtTKterpZl9mAmUL3cvRmKJqWy1gqrRiBIVkeyF A X-Google-Smtp-Source: AGHT+IGHqAABdsh1wMdVFKIlj+Rsc+lIi0I6KmUcwxH203pLHhpLcYthEw5K8ABeOLzvHlRcnmTE5A== X-Received: by 2002:a05:6214:5f01:b0:6b5:936d:e5e9 with SMTP id 6a1803df08f44-6bf7cdf0a71mr175759536d6.26.1724094278263; Mon, 19 Aug 2024 12:04:38 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:37 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 04/14] uefi-sb-keys.bbclass: Add class to validate UEFI keys Date: Mon, 19 Aug 2024 13:04:19 -0600 Message-ID: <20240819190429.2897888-5-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5970 Without UEFI keys, signing will fail and the OS will not boot. Signed-off-by: Javier Tia --- meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass new file mode 100644 index 00000000..e800b4c6 --- /dev/null +++ b/meta-arm/classes/uefi-sb-keys.bbclass @@ -0,0 +1,24 @@ +# Validate UEFI keys +python __anonymous () { + if d.getVar("UEFI_SB_KEYS_DIR", False) is None: + raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.") + + # keys used for UEFI secure boot + uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR") + + keys_to_check = [ + uefi_sb_keys + "/PK.esl", + uefi_sb_keys + "/KEK.esl", + uefi_sb_keys + "/dbx.esl", + uefi_sb_keys + "/db.esl", + uefi_sb_keys + "/db.key", + uefi_sb_keys + "/db.crt", + ] + + missing_keys = [f for f in keys_to_check if not os.path.exists(f)] + + if missing_keys: + raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), ) + + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys) + +} From patchwork Mon Aug 19 19:04:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47949 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33EE1C54722 for ; Mon, 19 Aug 2024 19:04:44 +0000 (UTC) Received: from mail-ot1-f45.google.com (mail-ot1-f45.google.com [209.85.210.45]) by mx.groups.io with SMTP id smtpd.web10.1078.1724094280447915289 for ; Mon, 19 Aug 2024 12:04:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=pfcfI9Hn; spf=pass (domain: linaro.org, ip: 209.85.210.45, mailfrom: javier.tia@linaro.org) Received: by mail-ot1-f45.google.com with SMTP id 46e09a7af769-70c9cda7f1cso2092293a34.3 for ; Mon, 19 Aug 2024 12:04:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094279; x=1724699079; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jKeLT5wECjxCPh0q9TVfT28Dr9BXXolYW1ml7VAYpJM=; b=pfcfI9HnT0NrVtu8N199qBpL80Om+PNCzYgCqGg+n12Ddzs9KcGdFE7LqAWioYBpf6 9SVinnPSfvDU/uC9Zz/x3ODZTlcL5vsy+64008J9SrECai4jbItHOQG1TcQRDghQJkgx 8YLNDzitriENWZpY4NWvJMoYiJms3HVjcQ7QILVg3641uu6wUensqn6VxlXQes+J3k/b SVOVxVmcuK/wXLYiNXY9gzqMV5gKcU2i2Pbrmx/xNsedD3X300WzQT+HVTKzY8Nxs99f whZMOLj/B+yxHEktip0wag/Zkj6KelaL4icXn6hTVxdJeiC4bNQY1WX4EemV+xTr+1XZ Qssw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094279; x=1724699079; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jKeLT5wECjxCPh0q9TVfT28Dr9BXXolYW1ml7VAYpJM=; b=P5d5FxNCjxjMW0TNkg+4xWNCpWHPTwdwHUDuk0KaeczCF/8Sa/2DcvIRmDWy9ZI+iU uGXtrVa2yFHjU9VTXtKO0ztGJWkIaCHSaob2TM5kZM/8QLFnoVaaM/+cYAk228zoXLpm BfdBPqJ8o7dXKQGhDNvMfBvZE3cG2unKGsOhytDmLOsdm+8n36I7uWzEgcXrJNxhyPRY TxO9lALZe7/WlY6c3DQjA710Dmiog+cErDWRlEPZbahBkkusQcb9Eeuz9lXb0OTR0px3 2TsqDXZ+WFxV2v4EN/EDSAO3hlJVhtPgRfHh2ZR6umUJYKzlwOTD45sD2gqZndmWfoDb JM1Q== X-Gm-Message-State: AOJu0YyIn1YnDQieR7rs7WYyoyVjnlUkk5JKtJq8SnirUuGMGw2qoCim d1SrHO0IA/P/sXQTGThxAgybqV3y+fpuC7UyiLxqPa/lDy4UhqnHShL9n4gl3uXYlZOSM5v6Yx7 j X-Google-Smtp-Source: AGHT+IGl9zjip+zKJEqQr9kUBExE0TehQSKdjVO0Ft9fd1E1eRujsoCdHtu3uDledLpdl8OaXdWLMQ== X-Received: by 2002:a05:6830:6c88:b0:70d:ee3a:ea6e with SMTP id 46e09a7af769-70dee3aee19mr249116a34.28.1724094279473; Mon, 19 Aug 2024 12:04:39 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:39 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 05/14] sbsign.bbclass: Add class to sign binaries Date: Mon, 19 Aug 2024 13:04:20 -0600 Message-ID: <20240819190429.2897888-6-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5971 A lot of recipes are using these same steps to sign binaries for UEFI secure boot. Authored-by: Mikko Rapeli Signed-off-by: Javier Tia --- meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 meta-arm/classes/sbsign.bbclass diff --git a/meta-arm/classes/sbsign.bbclass b/meta-arm/classes/sbsign.bbclass new file mode 100644 index 00000000..a99c0218 --- /dev/null +++ b/meta-arm/classes/sbsign.bbclass @@ -0,0 +1,39 @@ +# Sign binaries for UEFI secure boot +# Usage in recipes: +# +# Set key and cert files in recipe or machine/distro config: +# SBSIGN_KEY = "db.key" +# SBSIGN_CERT = "db.crt" +# +# Set binary to sign per recipe: +# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign" +# +# Then call do_sbsign() in correct stage of the build +# do_compile:append() { +# do_sbsign +# } + +DEPENDS += "sbsigntool-native" + +SBSIGN_KEY ?= "db.key" +SBSIGN_CERT ?= "db.crt" +SBSIGN_TARGET_BINARY ?= "binary_to_sign" + +# makes sure changed keys trigger rebuild/re-signing +SRC_URI += "\ + file://${SBSIGN_KEY} \ + file://${SBSIGN_CERT} \ +" + +# not adding as task since recipes may need to sign binaries at different +# stages. Instead they can call this function when needed by calling this function +do_sbsign() { + bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}" + ${STAGING_BINDIR_NATIVE}/sbsign \ + --key "${UNPACKDIR}/${SBSIGN_KEY}" \ + --cert "${UNPACKDIR}/${SBSIGN_CERT}" \ + --output "${SBSIGN_TARGET_BINARY}.signed" \ + "${SBSIGN_TARGET_BINARY}" + cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned" + cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}" +} \ No newline at end of file From patchwork Mon Aug 19 19:04:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47950 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33F1AC5472C for ; Mon, 19 Aug 2024 19:04:44 +0000 (UTC) Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com [209.85.210.49]) by mx.groups.io with SMTP id smtpd.web11.1045.1724094281609132225 for ; Mon, 19 Aug 2024 12:04:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=B2B1l/L9; spf=pass (domain: linaro.org, ip: 209.85.210.49, mailfrom: javier.tia@linaro.org) Received: by mail-ot1-f49.google.com with SMTP id 46e09a7af769-7093b53f315so1699079a34.2 for ; Mon, 19 Aug 2024 12:04:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094281; x=1724699081; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=d4QveURaOEPjRXZzrUewBCfHkU+UFxipcUv9I+R+wcQ=; b=B2B1l/L9ZieQKhmtI9InrwVXIcJ6C9/kxxu94hIluItPbO0uyXCmA6TPogu/6mU7nf ZMeimhzVaMTAJKyzKFjBBss54COlM+bT3Tjoz2PmiZS7g2HXtpNz9mq0BoMOW1g5K4g7 GVVfgR7aoZYA22cmj5OJuDgJ3arPjtmpziMNdrcVv6dXlQQEBEQQVzLk61WVFNpOzPz0 beR5qJ1OLIzrNvYVMVpV8EAR1eliqPwfwa+WeZ8ZJBwnUNlNJ4JrBd7+7OO2CuVrGGK0 EOMpImgcynO+bZSZaFbvbXXZ3fmJLq3eK3VLxDIglcX6U6FF0KaSYpfmsqO/zA8bAPnA m01w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094281; x=1724699081; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=d4QveURaOEPjRXZzrUewBCfHkU+UFxipcUv9I+R+wcQ=; b=CcSn41OuMsJKisI8cDElQ6ZsO7EfoWoSblCw+TLk6v+Jwftq18I9zrYFFiqnAiOcj8 qoQDURjzynokGfadO0+zjt6yY5zWIRuRZ254bCkLEAkDfXD7VVhjljw5TN6xPInxnO2y YRN8Eg7FO+H/fnohG4t+Z45XCofQ1Eia6lvN88Yyrs68F5JVwzpdQ8K9TCWIoTHa1gZY z22j6NTCwM9RWPLwBVGb1u3RGlIlZSlvvEQ1AaLk1PxodAwt3wK/Pbt/2+PoiCFTM+ol 7PgU+/Ta8qClXl/LA0WCM6uhewAcPDOjUalzwdmqMfmpg2Yi3K86O1IplPo0PHQLS98g RuYA== X-Gm-Message-State: AOJu0YzDZk0a4755tNKt9a2uqxwi+2Jr+elMwYdSXRuwiYA4vSLRZjSZ ymh5Yb2ua/pwHrBGyQX+fCEju7k/MNk4z1LxoCn/eNjN6B6PqxegoDMYD8QNjbqHUPv0uzdGaqI I X-Google-Smtp-Source: AGHT+IETqu+4IhTh3XYa8bl0TYN7HzgRJGBNjibvzIcKEqCuCriezTRK7fMwCIuJp9hiqFChINXzUw== X-Received: by 2002:a05:6830:6388:b0:704:4abf:c0d6 with SMTP id 46e09a7af769-70cac86e087mr14557849a34.20.1724094280668; Mon, 19 Aug 2024 12:04:40 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:40 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 06/14] core-image-base: Inherit uefi-sb-keys Date: Mon, 19 Aug 2024 13:04:21 -0600 Message-ID: <20240819190429.2897888-7-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5972 Signed-off-by: Javier Tia --- .../recipes-bsp/images/core-image-base-uefi-secureboot.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc index 351e9030..2232d3b3 100644 --- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -1 +1,3 @@ +inherit uefi-sb-keys + WKS_FILE = "efi-disk-no-swap.wks.in" From patchwork Mon Aug 19 19:04:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47947 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25F40C5321D for ; Mon, 19 Aug 2024 19:04:44 +0000 (UTC) Received: from mail-qv1-f50.google.com (mail-qv1-f50.google.com [209.85.219.50]) by mx.groups.io with SMTP id smtpd.web10.1080.1724094283184251129 for ; Mon, 19 Aug 2024 12:04:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=bcAoTUiD; spf=pass (domain: linaro.org, ip: 209.85.219.50, mailfrom: javier.tia@linaro.org) Received: by mail-qv1-f50.google.com with SMTP id 6a1803df08f44-6bf84c3d043so15825526d6.3 for ; Mon, 19 Aug 2024 12:04:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094282; x=1724699082; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Y6cnGubIUPfqUNMZsTLbuxSnui3vnRbhrJbBfO5KvAM=; b=bcAoTUiDPs9gVw9fdHiWR0mrrs4dVkOnO4aPMx3bT1fAX59YzmkzX3+vuUF1gaaStN JOkvtwvUOnKtKUnIL4ruXkffXxXsOX/GKCMSgZJ1Osq2qHaApfjq3+9egF2jgAW+PbuY WOfIe9l9uKP9BtZTNWCaVqe7Lnbj2QAEw0DPx3WZjSIAM26Kmh2b4I4Q7ljnoYpCP5v6 N/A8crU4N/jbWl/kCHXvn6qxg99nx8cMeA2bnDC+dcdrvpDBZnL5aO2rZj2gYAbRRwLc E477wdpdvBN9xk+HhxpwC1k7Z1uYtLu3H+AZI2Qa4vPWxcUIUFp6L2yV3B9lnqmZ8t2l Oq7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094282; x=1724699082; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Y6cnGubIUPfqUNMZsTLbuxSnui3vnRbhrJbBfO5KvAM=; b=HBAAnS5mfymgyh2w0UZt9PefB8TCNGGnvKJyWjwFTMNRAQ0BAidHzWiNtsFNhWsxHE mZ9wfnw/+6a1SA+uP3MUP5gIZn+SO9oP+Kt4zxU5IDa1agNqlglKkXps8zuptgKt6FZQ ryPDRodnTXmMKFjVBJcLNYECTPPIkCpj8oNYCBhCtczBQNWOrWC3vOoqWkKQMhV2xZzg p2CGZjJ8TNtarW5mxmZcPXC9dLQF37xY7fPCEOwMUX6HDYwP2ILjO2YZCY+p3XWGYEvZ l5HC7P/sT1v00x5xKoryF9f7yyX+W1nIsuA8ZD7i6Te2RWXaAGKN5KDxBWG/QTmjN2vk VnMw== X-Gm-Message-State: AOJu0Ywkcn5x/SRlk+Ayts56wde/99T1ezI/ZlSz4Gosf8XhFM9zybt7 J+KKg6/AUi6cSJBIv1EHrXE+6stXhe7MgZV9YFylesQt7+9gS3S2GBqh0OrP1R7dRy5utQmr3YS 0 X-Google-Smtp-Source: AGHT+IGLi/fK7gboV6V10W2/Ipz6aR1Y+RPypFMSJPncB7RhI/8GltEYEi2Xi7HRZA6/2wYwrDkpgw== X-Received: by 2002:a05:6214:311e:b0:6b5:eba0:d0ab with SMTP id 6a1803df08f44-6bf7cd999d4mr115243006d6.15.1724094281898; Mon, 19 Aug 2024 12:04:41 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:41 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 07/14] meta-arm: Introduce gen-uefi-sb-keys.bb recipe Date: Mon, 19 Aug 2024 13:04:22 -0600 Message-ID: <20240819190429.2897888-8-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5973 Generate a new set of keys on build time. It avoids to use same keys which could generate a security issue. Signed-off-by: Javier Tia --- meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++ meta-arm/uefi-sb-keys/.gitignore | 4 ++ meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 56 +++++++++---------- 3 files changed, 57 insertions(+), 29 deletions(-) create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb create mode 100644 meta-arm/uefi-sb-keys/.gitignore diff --git a/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb new file mode 100644 index 00000000..a4ae6d87 --- /dev/null +++ b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: MIT + +SUMMARY = "Generate UEFI keys for secure boot" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +DEPENDS += "bash-native" +DEPENDS += "coreutils-native" +DEPENDS += "efitools-native" +DEPENDS += "openssl-native" + +SRC_URI = "file://${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh" + +UNPACKDIR = "${S}" + +do_fetch[noexec] = "1" +do_patch[noexec] = "1" +do_compile[noexec] = "1" +do_configure[noexec] = "1" + +do_install() { + ${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh ${UEFI_SB_KEYS_DIR} +} + +FILES:${PN} = "${UEFI_SB_KEYS_DIR}/*.key" +FILES:${PN} += "${UEFI_SB_KEYS_DIR}/*.crt" diff --git a/meta-arm/uefi-sb-keys/.gitignore b/meta-arm/uefi-sb-keys/.gitignore new file mode 100644 index 00000000..f8669919 --- /dev/null +++ b/meta-arm/uefi-sb-keys/.gitignore @@ -0,0 +1,4 @@ +*.auth +*.crt +*.esl +*.key \ No newline at end of file diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh index fc7f25c9..21e65c72 100755 --- a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh @@ -1,35 +1,33 @@ -#/bin/sh +#!/bin/bash +# +# SPDX-License-Identifier: MIT +# set -eux -#Create PK -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl -sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth +KEYS_PATH=${1:-./} +SUBJECT="/CN=Linaro_LEDGE/" +GUID="11111111-2222-3333-4444-123456789abc" -#Create KEK -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl -sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth +openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \ + -keyout "${KEYS_PATH}"/PK.key -out "${KEYS_PATH}"/PK.crt \ + -nodes -days 3650 +cert-to-efi-sig-list -g ${GUID} \ + "${KEYS_PATH}"/PK.crt "${KEYS_PATH}"/PK.esl +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/PK "${KEYS_PATH}"/PK.esl "${KEYS_PATH}"/PK.auth -#Create DB -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl -sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth - -#Create DBX -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl -sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth - -#Sign image -#sbsign --key db.key --cert db.crt Image - -#Digest image -#hash-to-efi-sig-list Image db_Image.hash -#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth - -#Empty cert for testing -touch noPK.esl -sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth +for key in KEK db dbx; do + openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \ + -keyout "${KEYS_PATH}"/${key}.key -out "${KEYS_PATH}"/${key}.crt \ + -nodes -days 3650 + cert-to-efi-sig-list -g ${GUID} \ + "${KEYS_PATH}"/${key}.crt "${KEYS_PATH}"/${key}.esl + sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/${key} "${KEYS_PATH}"/${key}.esl "${KEYS_PATH}"/${key}.auth +done +# Empty cert for testing +touch "${KEYS_PATH}"/noPK.esl +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/PK "${KEYS_PATH}"/noPK.esl "${KEYS_PATH}"/noPK.auth From patchwork Mon Aug 19 19:04:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47954 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65316C52D7C for ; Mon, 19 Aug 2024 19:04:54 +0000 (UTC) Received: from mail-qv1-f54.google.com (mail-qv1-f54.google.com [209.85.219.54]) by mx.groups.io with SMTP id smtpd.web10.1081.1724094284426175061 for ; Mon, 19 Aug 2024 12:04:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=qA6vawxw; spf=pass (domain: linaro.org, ip: 209.85.219.54, mailfrom: javier.tia@linaro.org) Received: by mail-qv1-f54.google.com with SMTP id 6a1803df08f44-6bf790944f1so22920876d6.2 for ; Mon, 19 Aug 2024 12:04:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094283; x=1724699083; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4i8i4tDl/w+2Hz1m76fbFHZdoBoOcID//NRfTskNKvw=; b=qA6vawxw0C8gn32R3xXKtrqeBylBmLo4oTYSvvTHDtb2hcfWRzVMcoY/YvfeHSeT0k tVVV5Yte4OTtnsxMoa7Cv0LcCPvaPWm+8ViLI2+ZXPfujr+DuU65WNh+nez8IYUd2YnL YfQ6jz2gZNqwiV5RYFOXKsdvC/t6Q032g3KstGFp+Pgd2oUh+s7rpAqZkRpc6juNMun/ 17F/lDoPVC7OCNqX9KI65ZSM+YfrtHGghsqGu8xwFaezVkXaBtwqM1IU4c85u00MZsjB +3J+Yqx3wm29SCLMkoxryCFM2zh+NPYO7UltIyoMmL5PxOm/ALSVGjKZqM1nPwxsGTHX B70g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094283; x=1724699083; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4i8i4tDl/w+2Hz1m76fbFHZdoBoOcID//NRfTskNKvw=; b=ZCXh0B3OzQhJLCfjA2gvza6R7WylsoSVEAHUpLbNY8htjCiDtEUW2G47tTBatawZ3S eytEok+8KGZi37qmj9cLUGqepSmrP6CzOlVk/TIJLWgn5egQJ0wQ689xZP1bmO3mE5P6 PjTt3XhH97AHwIvIeEzMBDim/gFYVNna0QTM8FDyS8M9dzCNekArN3bMOcsERp29v6Ab TOac2aBvzCn7UCTwgIwN2EZoeL9C9GAa5zKQqIpyS4cR0h1v66einfhFt9O8clwgISO5 Y+YX6BwXMbu1O51tDbOVWn85DUU8ULblT1OjVetVa8eO9GOWDMFiKCV6ZOWthOdXIiEB ISQg== X-Gm-Message-State: AOJu0Yw1CxNW9X8xM06hZtzJtLDz3Vq7pFIAfo5yezPaRBfSLROmEsHS jQpl5gS/0yBNAv/1nFi+7bV6LBiSDNWrF4JVMxjmHWHjpURo1DBGGtarulCcTyEZTN11CBOw/Pd C X-Google-Smtp-Source: AGHT+IEcsisHO0WerHea0suK8gTWMUtdXGVaMkMTiK/aflctPHDxVQMBckK+rFuWXkeA02yw6T1VWw== X-Received: by 2002:a0c:ff28:0:b0:6bf:8891:e305 with SMTP id 6a1803df08f44-6bf8891e505mr74266436d6.17.1724094283107; Mon, 19 Aug 2024 12:04:43 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:42 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 08/14] u-boot: Setup UEFI and Secure Boot Date: Mon, 19 Aug 2024 13:04:23 -0600 Message-ID: <20240819190429.2897888-9-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:54 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5974 Add U-Boot minimal UEFI definitions. Embedded UEFI variables with the keys previously generated. It's to enable UEFI Secure Boot and verify the authenticity of the firmware and operating system. When U-Boot is built with UEFI support, it includes a set of efivars that are used to store the Secure Boot variables. These efivars are embedded in the U-Boot binary and are stored in the flash memory of the system. Signed-off-by: Javier Tia --- .../u-boot/u-boot-qemuarm64-secureboot.inc | 18 ++++++++++++++++++ .../u-boot/u-boot/uefi-secureboot.cfg | 10 ++++++++++ .../recipes-bsp/u-boot/u-boot_%.bbappend | 2 +- 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc new file mode 100644 index 00000000..ffad08e4 --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc @@ -0,0 +1,18 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://uefi-secureboot.cfg" + +UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm" +UBOOT_ENV_NAME = "qemu-arm.env" + +DEPENDS += 'python3-pyopenssl-native' + +do_compile:prepend() { + export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 + + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk -d "${UEFI_SB_KEYS_DIR}"/PK.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db -d "${UEFI_SB_KEYS_DIR}"/db.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file + "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var +} diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg new file mode 100644 index 00000000..d2edb5fb --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg @@ -0,0 +1,10 @@ +CONFIG_CMD_BOOTMENU=y +CONFIG_USE_BOOTCOMMAND=y +CONFIG_BOOTCOMMAND="bootmenu" +CONFIG_USE_PREBOOT=y +CONFIG_EFI_VAR_BUF_SIZE=65536 +CONFIG_FIT_SIGNATURE=y +CONFIG_EFI_SECURE_BOOT=y +CONFIG_EFI_VARIABLES_PRESEED=y +CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" +CONFIG_PREBOOT_DEFINED=y \ No newline at end of file diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend index 11f332ad..ee815b6a 100644 --- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend @@ -5,6 +5,6 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc" MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc" MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc" MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc" +MACHINE_U-BOOT_REQUIRE += "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}" require ${MACHINE_U-BOOT_REQUIRE} - From patchwork Mon Aug 19 19:04:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47959 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9CB45C5472E for ; Mon, 19 Aug 2024 19:04:54 +0000 (UTC) Received: from mail-qv1-f52.google.com (mail-qv1-f52.google.com [209.85.219.52]) by mx.groups.io with SMTP id smtpd.web11.1048.1724094285395503332 for ; Mon, 19 Aug 2024 12:04:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=LHjVRLiM; spf=pass (domain: linaro.org, ip: 209.85.219.52, mailfrom: javier.tia@linaro.org) Received: by mail-qv1-f52.google.com with SMTP id 6a1803df08f44-6bf6755323cso27707376d6.1 for ; Mon, 19 Aug 2024 12:04:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094284; x=1724699084; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=c5+tBxeFbiWkfJkiZMiVStk0WUgY+OMHmCiMHBeRQPM=; b=LHjVRLiMMX4r8IoVWd5gslwpjEcFs6TODUB1MJaJqd+FLZ5roNLCkMgFOafiYRIGJC sa6ypJEP6eT0f1yzvWRUQ+zdVbqUXI8pG3VyC03ue5RTLV1mFZU+W0YAOLAMxxcQviQF 4laC8W0tJJXADYI1ZLNDyhYT7qDeL2fORFWqbJNIyvOZQA4HRVWktSkBdWBmSuamI6Hr Wf9JqxgWu1D0BGI92ZAC+IIQsRkKsGLmqugR+LrHe+3CXJeP2Z3fF7NxZffcEgfCzx+m CXRRVy0oIgHm2h/KVDecih20FYU/dVPepqcd17q6eGwRNZ2eRINFvlyoy4SD/1ZbFpc2 0sGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094284; x=1724699084; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=c5+tBxeFbiWkfJkiZMiVStk0WUgY+OMHmCiMHBeRQPM=; b=KeE5y4ZS3pw/WBR6f5Ieu/Ql/4W+YGUH8AxlP0Cb+2K1HY0oQYpmgtIobVFRmOvkKS /jm0wifcGTnO6rjzornAvZSijkgRAm0T1g0HkBPsCL9KSjlsUiWxgiUZv+OpcXLkmwTg IzgFRZxVWpX4gv7rwJckvrpTq5ttSlDDUB00VQSPbJt2lov3n2R18bmyWCePHZ0dbVeR k6tIxmcftf3fkKZ4H0aGPkYr3QlML7BW17+qO7wV9sMZJtipU6mxSrHX+0AAEc3e+Jac KjVwzBmHVpTk1jVV7Rj8sposbwsNQ9c4Axk7K/BL7aAZ4odwAKxZstEbRRtbbPJtDaVc tzcg== X-Gm-Message-State: AOJu0YzZSXBGqdZAkgXHFrLehnQm30oEfJjEiggUyrCi46MjlmdnxWEC JwSQlBxa1ja8zc3mj/tg4F3l3O1sgEG+GXxG2vCfFEuNkhn9dPDLBkFCN3P3kqL32btqxfOtPdP H X-Google-Smtp-Source: AGHT+IFvKL/xkufVRkZtTMzEAIDkYFrA3etYpPtNckcv59h93Ow8/ChnnBvscsoNpT81lu/BHxcLRQ== X-Received: by 2002:a05:6214:524a:b0:6bb:7a04:3408 with SMTP id 6a1803df08f44-6bf7cd85850mr159229366d6.11.1724094284314; Mon, 19 Aug 2024 12:04:44 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:43 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 09/14] qemuarm64-secureboot: Add meta-secure-core layer as dependency Date: Mon, 19 Aug 2024 13:04:24 -0600 Message-ID: <20240819190429.2897888-10-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:54 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5975 meta-secure-core is required because of sbsigntool. Signed-off-by: Javier Tia --- ci/qemuarm64-secureboot.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml index b26941e0..958a1ff1 100644 --- a/ci/qemuarm64-secureboot.yml +++ b/ci/qemuarm64-secureboot.yml @@ -4,13 +4,15 @@ header: version: 14 includes: - ci/base.yml - -machine: qemuarm64-secureboot - -target: - - core-image-base + - ci/meta-openembedded.yml + - ci/meta-secure-core.yml local_conf_header: optee: | IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta" TEST_SUITES:append = " optee ftpm" + +machine: qemuarm64-secureboot + +target: + - core-image-base From patchwork Mon Aug 19 19:04:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47958 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6525CC3DA4A for ; Mon, 19 Aug 2024 19:04:54 +0000 (UTC) Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com [209.85.219.51]) by mx.groups.io with SMTP id smtpd.web11.1049.1724094286785101291 for ; Mon, 19 Aug 2024 12:04:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=pBjXFOAs; spf=pass (domain: linaro.org, ip: 209.85.219.51, mailfrom: javier.tia@linaro.org) Received: by mail-qv1-f51.google.com with SMTP id 6a1803df08f44-6bf7658f4aaso23588906d6.0 for ; Mon, 19 Aug 2024 12:04:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094286; x=1724699086; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MNiYqaJ6/dp6Rz4Asy2D9hWleJVQzKyC4j+Ug6hTpEI=; b=pBjXFOAsGnoSTtfCuaTrTGyXVs6pKPZXN+nKZoC/gZn80dDmzWENwC4nUSOCW8m0aR nOUBNPM2iGIIamv/5NJQVy3jv0dK3QJsYdPtqAyuR6Fdrr6jl0wQbTNgZHYiEqqLXPwq a0E0TmniL6aZQ17RmjJPHAX+8/ewEu656UXdS351racgLe69WYX24zjKzrS5pkf0rtd8 XT2Bmg/Wv+YrpyBFGg1fs3j/gCzKQHF2g2r/MmHyno2vNOjEw+DWqBnY0BB6nCnJEqCh 28P3xPGtWe5ul40XSm01aUnH14EjfBCEPWYCDLL3Bp7kKtM/WU1X4G+2mM6c9rpwpEx2 uUgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094286; x=1724699086; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MNiYqaJ6/dp6Rz4Asy2D9hWleJVQzKyC4j+Ug6hTpEI=; b=N/E/40tPOSqak7EK/5qUSau6EFTEYUAqlpdMmPHAmRCJ2e0mU8LY7rAm2bqMvhGrfY /RCmIbZ8J3DtWWEKJV7GReLU5IIt8zv9SXpciKhyLYAF+SW9Qz8ympAZYPDspBleiDZZ 6+xU9wloqeJtaqHPiJDkC3201maYikG5mGixIOJqLNpYqUH186veTzpZUtoUIn19qSgo OETbbcmtOfTsGLrN9JTRLd4TrNqlORfw7YvHyP9mnawfFH/pjpHVROaFMJz8OeTkaUDq +BBJrvrXtLAPS4WsvT+2I90Y0dFZHd16Z2MWC/C+x0cr8JbTL3cXj3qOBhdy2b+xR8pr uA8A== X-Gm-Message-State: AOJu0YxKWcqISJh3Qt0qqL15Z1z7bFpP/5f3beE9qxvgbbCr7IicKaI9 N52Qb33tSvJF/z3L/dDhigQrR1oO3/YaCVO4N+NF3y0jNVX/N50Rxj40NoqXA1cNNFvJ1Dkw8Go r X-Google-Smtp-Source: AGHT+IGxHbi+ZsyHAuAvahs/GWf223TGabh/8vTvU7vsS88GBunbzmS/QQl/G7Sca8ELtMM6YQIsTQ== X-Received: by 2002:a0c:fcc4:0:b0:6bf:7d3c:a64d with SMTP id 6a1803df08f44-6bf7d3ca727mr114239586d6.32.1724094285471; Mon, 19 Aug 2024 12:04:45 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:45 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 10/14] linux-yocto: Setup UEFI and sign kernel image Date: Mon, 19 Aug 2024 13:04:25 -0600 Message-ID: <20240819190429.2897888-11-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:54 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5976 efivarfs kernel module is required to access EFI vars. Signed-off-by: Javier Tia --- .../core-image-base-uefi-secureboot.inc | 8 ++++++++ .../linux/linux-yocto%.bbappend | 2 ++ .../linux/linux-yocto-uefi-secureboot.inc | 19 +++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc index 2232d3b3..06046f6e 100644 --- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -1,3 +1,11 @@ inherit uefi-sb-keys WKS_FILE = "efi-disk-no-swap.wks.in" + +# Detected by passing kernel parameter +QB_KERNEL_ROOT = "" + +# kernel is in the image, should not be loaded separately +QB_DEFAULT_KERNEL = "none" + +KERNEL_IMAGETYPE = "Image" diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend index a287d0e1..29c21355 100644 --- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend +++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend @@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \ FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}" require ${FFA_TRANSPORT_INCLUDE} + +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)} \ No newline at end of file diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc new file mode 100644 index 00000000..cb62fdee --- /dev/null +++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc @@ -0,0 +1,19 @@ +KERNEL_FEATURES += "cfg/efi-ext.scc" + +DEPENDS += 'gen-uefi-sb-keys' + +inherit sbsign + +SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key" +SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt" + +# shell variable set inside do_compile task +SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE" + +do_compile:append() { + KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit) + do_sbsign +} + +RRECOMMENDS:${PN} += "kernel-module-efivarfs" +RRECOMMENDS:${PN} += "kernel-module-efivars" From patchwork Mon Aug 19 19:04:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47960 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A7DEC5472C for ; Mon, 19 Aug 2024 19:04:54 +0000 (UTC) Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46]) by mx.groups.io with SMTP id smtpd.web10.1083.1724094287782193907 for ; Mon, 19 Aug 2024 12:04:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=EmaZQ8q+; spf=pass (domain: linaro.org, ip: 209.85.219.46, mailfrom: javier.tia@linaro.org) Received: by mail-qv1-f46.google.com with SMTP id 6a1803df08f44-6bf7ba05f75so30528446d6.0 for ; Mon, 19 Aug 2024 12:04:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094287; x=1724699087; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oCvAk01qrRdY3Y5k2RwMc1y4ZpcmHYI/JBaWSAotA/s=; b=EmaZQ8q+J43lixCTihZyUTipHUmj60r9w8/fGTgbvF5W5pMpdonfZCTkUVyicdN8Jr DL0EPkJsU6TY6JdvbKaXWjWlRnwVxF2yaybFDgMZW7ifnXIKhHJi3VGzbLyOYlyU2eEh OJjHGPZhbdcoF4JYC57WZP0FCUQHbE6U3/lMVbbWRsEy6KuonrmQTxCoQ9IEffWBwsaq RlwZMo1kGq+KpLRDXX1cryBZ/v1kBJFQqrCgjOUOtHIllw7TJaChUoYHxyBiA0Q2xGOn zsrUpvJuHsuZ//xxDKvhc6BOyDFBd5Ilv1IxTdd09HCq4mp57It9BtAOR/jxYa2NZaCl BLng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094287; x=1724699087; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oCvAk01qrRdY3Y5k2RwMc1y4ZpcmHYI/JBaWSAotA/s=; b=QPBqcGmEqSLWSGVW/o5GpdLzdISWYH7wbvDJclU3YFDd4ytljej4bbOVzVx5hWjYlk aO7G6cJnPz1G2jVVNXwYjN4s4FvouHelYj2TCmJWUYaZt7Ris8uM70dFzEr2J8oqrVCS QZiekKAu3Pc0RoBVvfuirOp2+lLCavt086xPVF7prQLJxjZU1t+icQ2nMujgpBIjeuDc YVnM6DK+tcPc6wm1s3+prEcK57SRIMGOTl1UvTTyuuKRYtVkdgs0q0sxZHXG8l7yV/Zr +bdHTVXqBe3eBpJDMi+UyEYBZlKmoJngAIEc28eXVYT8kOJnMyura1sP5GfDFY4K7r4F UByw== X-Gm-Message-State: AOJu0YwfmKIwjhyVgkax+U+pYULnjme5d6IqfHndZHbPl2IDaG30wtAy Z0DavUNtOMXCgo1ksIgdvr6iyLsk3xGyIFoLSzCUxGsStyK8v0CpY44fLehWRRfgcN4IaFdPfkX F X-Google-Smtp-Source: AGHT+IHRnT7nUUgfNa6m4y86NdvLIp7cpo7oRDN9xMmEYtUAaKaWbC/6rpAa2wuvP+pWjyp8GX6UBQ== X-Received: by 2002:a05:6214:4613:b0:6bf:8a9c:1d0a with SMTP id 6a1803df08f44-6bfa8a48ff1mr12212536d6.10.1724094286681; Mon, 19 Aug 2024 12:04:46 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:46 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 11/14] systemd: Add UEFI support Date: Mon, 19 Aug 2024 13:04:26 -0600 Message-ID: <20240819190429.2897888-12-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:54 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5977 Signed-off-by: Javier Tia --- .../recipes-bsp/images/core-image-base-uefi-secureboot.inc | 2 ++ meta-arm/conf/machine/qemuarm64-secureboot.conf | 5 +++++ meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + meta-arm/recipes-core/systemd/systemd_%.bbappend | 1 + 4 files changed, 9 insertions(+) create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc index 06046f6e..07e315a3 100644 --- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -9,3 +9,5 @@ QB_KERNEL_ROOT = "" QB_DEFAULT_KERNEL = "none" KERNEL_IMAGETYPE = "Image" + +IMAGE_INSTALL += "systemd" diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf index 2669be0c..79ab6080 100644 --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -23,4 +23,9 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" MACHINE_FEATURES += "optee-ftpm" +MACHINE_FEATURES += "efi" MACHINE_FEATURES += "uefi-secureboot" + +INIT_MANAGER = "systemd" +DISTRO_FEATURES += "systemd" +DISTRO_FEATURES_NATIVE += "systemd" diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc new file mode 100644 index 00000000..5572e51a --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-efi.inc @@ -0,0 +1 @@ +PACKAGECONFIG:append = " efi" diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 00000000..660358c2 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)} From patchwork Mon Aug 19 19:04:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47956 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75F2AC54722 for ; Mon, 19 Aug 2024 19:04:54 +0000 (UTC) Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com [209.85.222.173]) by mx.groups.io with SMTP id smtpd.web11.1051.1724094289326965511 for ; Mon, 19 Aug 2024 12:04:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=CCDEUPYj; spf=pass (domain: linaro.org, ip: 209.85.222.173, mailfrom: javier.tia@linaro.org) Received: by mail-qk1-f173.google.com with SMTP id af79cd13be357-7a1d0dc869bso339587085a.2 for ; Mon, 19 Aug 2024 12:04:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094288; x=1724699088; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Q/r2Ucrd9qMllbfh6Tkmn1si3mm5VM1XainARIeqVZI=; b=CCDEUPYjk080c07IQkMdHaSoU4fCr1VrOarEfM6AGXXzmT0meGPQSA05ZTbHUE9Ywz zWz/xdRQz7efOOqzWaXF7JU2FMujmc+jDDeOVu2i3O39ra+zEuZYqaC4VlEqBawyoCqU QrrCt5usRqT0pksqa9hfeRH6/4HEgU4KeneXkcJaRqrVEadrl5jPUtZOzXjbtRMGilfM IRzRTvEmLtDqBxkqYdqm0odhc9Ldvrnj7v5dJLd9sGDroX2IsfkVFXP92SDIZJzJTVkN 0LOWYsMcNdU5vqIHj/PWvpxxArTjb9RCw0atZ4YxFJ9Kb+zRxuimS7OsIswuS7bDcMVL ALXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094288; x=1724699088; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Q/r2Ucrd9qMllbfh6Tkmn1si3mm5VM1XainARIeqVZI=; b=SHH4x7DIRmZenBDuczYqKh2awIWiZz8r7DQZCC+3EJ7c7MPi7fRNv5Nvwja/TrH84f bHS+4E/1YEQIr4WkP2eUsOD5REX0BZeyiIsQeP6qSvCIrI+1dWw7UlfosRVZUfZEq0+X Fwr69vwSk3uhTNwWYhnfa/najBSxLld0pbWty/kXBasPFg+p5eyOoQHN8D2tNWUpQeu6 16oMe7E/9GFoWz8nuC+BWbSBcB77MFWHwbFZBwEham3a9OvYS3O69rsWUsw0Q7AqjzMn 9dBp9W/Ul/QzpNx1qDQsWLn+wDoeAHEyuTA7jQs0GKpUsz7zBMSeP6ven8+4gcd/UwyC 9oOg== X-Gm-Message-State: AOJu0YyYjBmDI56CaUb64G22wkXAxX0ofsR4n4mb7I/8fxeftABmcGmH hL6UUYWTuzE3e0w8pm8RI6BxzV+sToQVGM46O2dcgrgwvFrMDN7ciZP+aVsj/jPhtUcuHl94wAA O X-Google-Smtp-Source: AGHT+IFb0+mOOgX8jT9OaDMxeEgQTQ5vjasKJIZ4MPZIFX7UGGC5NboTPpK5kqt4ljR4PO/Z5oiiGQ== X-Received: by 2002:a05:6214:3d07:b0:6b5:e895:82f0 with SMTP id 6a1803df08f44-6bf7ce5f9c0mr159824486d6.43.1724094287900; Mon, 19 Aug 2024 12:04:47 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:47 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 12/14] systemd-boot: Use it as bootloader & sign UEFI image Date: Mon, 19 Aug 2024 13:04:27 -0600 Message-ID: <20240819190429.2897888-13-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:54 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5978 As qemuarm64-secureboot is already using systemd as Init manager, use too systemd-boot as bootloader. It has a simpler and more intuitive configuration format compared to grub. It uses a single configuration file that is easy to understand and modify. Signed-off-by: Javier Tia --- .../images/core-image-base-uefi-secureboot.inc | 2 +- meta-arm-bsp/wic/efi-disk-no-swap.wks.in | 2 +- meta-arm/conf/machine/qemuarm64-secureboot.conf | 2 ++ .../systemd/systemd-boot-uefi-secureboot.inc | 12 ++++++++++++ .../recipes-core/systemd/systemd-boot_%.bbappend | 1 + 5 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc index 07e315a3..e5cf7760 100644 --- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -10,4 +10,4 @@ QB_DEFAULT_KERNEL = "none" KERNEL_IMAGETYPE = "Image" -IMAGE_INSTALL += "systemd" +IMAGE_INSTALL += "systemd systemd-boot" diff --git a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in index 6ae7ad9d..6d77d3aa 100644 --- a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in +++ b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in @@ -7,4 +7,4 @@ part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --exclude-path boot/ -bootloader --ptable gpt --timeout=1 --append="${GRUB_LINUX_APPEND}" +bootloader --ptable gpt --timeout=5 --append="${LINUX_KERNEL_ARGS}" diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf index 79ab6080..38acc97d 100644 --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -26,6 +26,8 @@ MACHINE_FEATURES += "optee-ftpm" MACHINE_FEATURES += "efi" MACHINE_FEATURES += "uefi-secureboot" +EFI_PROVIDER = "systemd-boot" + INIT_MANAGER = "systemd" DISTRO_FEATURES += "systemd" DISTRO_FEATURES_NATIVE += "systemd" diff --git a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc new file mode 100644 index 00000000..c0753614 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc @@ -0,0 +1,12 @@ +DEPENDS += 'gen-uefi-sb-keys' +DEPENDS += "sbsigntool-native" + +inherit sbsign + +SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key" +SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt" +SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi" + +do_compile:append() { + do_sbsign +} diff --git a/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend new file mode 100644 index 00000000..caba9830 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)} \ No newline at end of file From patchwork Mon Aug 19 19:04:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47955 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FAD2C5320E for ; Mon, 19 Aug 2024 19:04:54 +0000 (UTC) Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com [209.85.219.47]) by mx.groups.io with SMTP id smtpd.web11.1053.1724094290244566162 for ; Mon, 19 Aug 2024 12:04:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=uhBdPLig; spf=pass (domain: linaro.org, ip: 209.85.219.47, mailfrom: javier.tia@linaro.org) Received: by mail-qv1-f47.google.com with SMTP id 6a1803df08f44-6bf66fe9d8bso24238826d6.0 for ; Mon, 19 Aug 2024 12:04:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094289; x=1724699089; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=2Sw6qgwfeoRcTz5HRF/e7ri5lXvqhu/5iyjFHNupvjw=; b=uhBdPLigHB/uNvn2SZg8Pl7neHyFE97SgHKlyrrIX6dMnM6Bky/qUBmfZiKUAkk6I5 lA/a1RWQRmeM6vd6hyEmxTsAfUFhYzKW8o5wKKwIRh88ACfzTiRemMiKUa5xOrmk0k/U ksC6haOccRfYO2O0dQwUFT2fQkAisOF51deanuvs6tHloIxEj26UyrPSC3+1TQU/IuNK 7agGaeQMtugh6I968B5oWDEgN0J/rfyVdHhpjNJX57aZOo5rq4hq58yHO4E2MWgOoy7N 4PaaJ2rB+OeR6cADOHi6dd5F9RtzqaerBDykC237D7M0KRJFQGxG2qHbEbX631CbZZYA +Dmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094289; x=1724699089; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2Sw6qgwfeoRcTz5HRF/e7ri5lXvqhu/5iyjFHNupvjw=; b=qsn07xPrFd1dRNFFaScvjg6P1wFRPHjT/pPwICDOSJrxh6Gf8a/KuTUB5iaGDVq072 jX2AkJnA4y0JjgumW/LigRFo7/0kRaDU6eWeFsAgp4Av5JHFlMtE9/IZpch5ao1NbSg9 ZvceuCGfwJ6O+a/ja6MUcIVbg2v/HdR7cyN4Htl82PfJw8RHYcPCYewuRBIzE5Yc0ya/ IRHc0p0YmAA19Bp0fwD0RQRq2snEX3ALFLHf8M/mbFnjD/v0cr2xz3Kq5V9rNFxp/3lM IM3mQLi7mAWech9iyiFZUQAAxd4jJUjRpOAUkY+JNDnseHsftYI8XrRo9amVzK3St9hd /ZMg== X-Gm-Message-State: AOJu0YyWRMgCMFi4zlxLsz7nNqnrCybR3lkqd6/MwppSuoQtIH+BsFtF uWgLK8BMQFCviqHC8TlD80mfqlUviM80ygQrmPKNdy2T12xgCj5HByajNPmjtpP3DifCmKigdkP o X-Google-Smtp-Source: AGHT+IEeteqhkpxN5ynqyLm0/NkL9SqrT+N6qszSsT2+H9pLi5sI/C3/lm80K9BxeUc6YTH4feCueA== X-Received: by 2002:a05:6214:2b87:b0:6bf:7a30:f438 with SMTP id 6a1803df08f44-6bf7ce517cfmr159380276d6.22.1724094289145; Mon, 19 Aug 2024 12:04:49 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:48 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 13/14] meta-arm: Add UEFI Secure Boot test Date: Mon, 19 Aug 2024 13:04:28 -0600 Message-ID: <20240819190429.2897888-14-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:54 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5979 Add a test to verify UEFI Secure Boot is enabled Run the test: kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml' Signed-off-by: Javier Tia --- ci/qemuarm64-secureboot.yml | 2 ++ .../core-image-base-uefi-secureboot.inc | 6 +++- .../oeqa/runtime/cases/uefi_secure_boot.py | 32 +++++++++++++++++++ 3 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml index 958a1ff1..02341934 100644 --- a/ci/qemuarm64-secureboot.yml +++ b/ci/qemuarm64-secureboot.yml @@ -11,6 +11,8 @@ local_conf_header: optee: | IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta" TEST_SUITES:append = " optee ftpm" + uefi_secure_boot: | + TEST_SUITES:append = " uefi_secure_boot" machine: qemuarm64-secureboot diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc index e5cf7760..ce64b8b5 100644 --- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -10,4 +10,8 @@ QB_DEFAULT_KERNEL = "none" KERNEL_IMAGETYPE = "Image" -IMAGE_INSTALL += "systemd systemd-boot" +IMAGE_INSTALL += "systemd systemd-boot util-linux coreutils efivar" + +inherit extrausers + +EXTRA_IMAGE_FEATURES += "allow-root-login empty-root-password" diff --git a/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py new file mode 100644 index 00000000..4a62b54c --- /dev/null +++ b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py @@ -0,0 +1,32 @@ +# +# SPDX-License-Identifier: MIT +# + +import os + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.oetimeout import OETimeout + + +class UEFI_SB_TestSuite(OERuntimeTestCase): + """ + Validate Secure Boot is Enabled + """ + + @OETimeout(1300) + def test_uefi_secure_boot(self): + # Validate Secure Boot is enabled by checking + # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot. + # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known + # identifier for the Secure Boot UEFI variable. By checking the value of + # this variable, specifically + # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine + # whether Secure Boot is enabled or not. This variable is set by the + # UEFI firmware to indicate the current Secure Boot state. If the + # variable is set to a value of '0x1' (or '1'), it indicates that Secure + # Boot is enabled. If the variable is set to a value of '0x0' (or '0'), + # it indicates that Secure Boot is disabled. + cmd = "efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot" + status, output = self.target.run(cmd, timeout=120) + self.assertEqual(output, "1", msg="\n".join([cmd, output])) From patchwork Mon Aug 19 19:04:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 47957 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A933C5321D for ; Mon, 19 Aug 2024 19:04:54 +0000 (UTC) Received: from mail-qv1-f48.google.com (mail-qv1-f48.google.com [209.85.219.48]) by mx.groups.io with SMTP id smtpd.web10.1084.1724094291365266873 for ; Mon, 19 Aug 2024 12:04:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=cL2UmSJ+; spf=pass (domain: linaro.org, ip: 209.85.219.48, mailfrom: javier.tia@linaro.org) Received: by mail-qv1-f48.google.com with SMTP id 6a1803df08f44-6bf9db9740aso6859116d6.2 for ; Mon, 19 Aug 2024 12:04:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724094290; x=1724699090; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pdnG999dm3rF+hIEfVOM/gZrmTIZsPMZ3v3wSlgIkX0=; b=cL2UmSJ+tbtiwb9KFyuPttG+H40EL55ZiwzEpon3m7DSrlGfGlmDTJyCiClY81BOW9 S6X2O4C9TJEQiUo89muz/Ih9s4NLR5g5rEQ+0cffNB62QfbDoBF2CH3c+syUKa6Rbxgb xODA8UQg40OxJTbxfmRrHPLYw2pzY/CeZ8WS+lkb/0IbETc8MZAla8guzhYLlqDPN8fi oz0TsbYvxHqJb/vrOePEtpkfuRjAdQmnicalBI42Z2bQWVc6gGWdgsj9qjS5TBwagjlq upkhf8+L+YzosW09HLlys20yDqpkcY5QDI55zSKK2+ImfwMn8NLFZ0xxgcmii7udDWhy Hiuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724094290; x=1724699090; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pdnG999dm3rF+hIEfVOM/gZrmTIZsPMZ3v3wSlgIkX0=; b=OUtoPm9M5cRqV0ZJ53C/uvwbcQZs5ANOaGPpA0T9X9I1qg0SIYYrrJDHTPPiCCyWza vUuTEGgyScH6jIcvllpC6940LM5IW0E0IaqpMovOIegqaTpXHx2+96qSZjdg55jqQzIV jdlkgnWSc+pKqA4DbHU6ERtF9Zd56Uu88cpMyTnDp7Xw6RI4D9rxoavFeI/RWuSvGuqm vZwbkx+rYN/qgpS3avyiEslQlvxjfln0KaIzHYLsCbO8y1LIIr5NxO1ZJVuciMNEMHVu 56YL6MOAb5P03nbijT1jhAuxgf6ahZg/tQeipQvI9LlcdL/bm3Nw/UXADlJzfvL90H5J ZZ3A== X-Gm-Message-State: AOJu0YyOlPNQ88hzw/l7RIrAtCvaiNk4qOz19lX54GeJ9r+sDRsx8YbL wUZTz/aDDXl6GCPv/TOWxb2dVxTB6Sm6Z+lZ2gUkf5IF0yb5SF9rxCtE1EO6OGNt2e/3uv7rqac h X-Google-Smtp-Source: AGHT+IF0qYBgf2WQnHKvp4zWplRoi8vqOpbzqe276m3GTzzesVuPj+deEUGltuqdod5TpAXteLzeFA== X-Received: by 2002:a05:6214:3f85:b0:6bf:6bf3:9611 with SMTP id 6a1803df08f44-6bf7ce5f35cmr162091886d6.38.1724094290307; Mon, 19 Aug 2024 12:04:50 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([177.93.4.25]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Aug 2024 12:04:49 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v2 14/14] qemuarm64-secureboot.yml: Set branch to scarthgap Date: Mon, 19 Aug 2024 13:04:29 -0600 Message-ID: <20240819190429.2897888-15-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org> References: <20240819190429.2897888-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Aug 2024 19:04:54 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5980 UEFI Secure Boot is broken in master. Set to the latest stable OE branch. Signed-off-by: Javier Tia --- ci/qemuarm64-secureboot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml index 02341934..cadbe874 100644 --- a/ci/qemuarm64-secureboot.yml +++ b/ci/qemuarm64-secureboot.yml @@ -1,5 +1,9 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json +defaults: + repos: + branch: scarthgap + header: version: 14 includes: