From patchwork Mon Aug 19 19:04:16 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47953
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6CE7AC5472E
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:44 +0000 (UTC)
Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com
 [209.85.219.51])
 by mx.groups.io with SMTP id smtpd.web10.1073.1724094275628538552
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:35 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=vDeYlmUX;
 spf=pass (domain: linaro.org, ip: 209.85.219.51,
 mailfrom: javier.tia@linaro.org)
Received: by mail-qv1-f51.google.com with SMTP id
 6a1803df08f44-6bf6dedbfe1so27997076d6.3
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094274; x=1724699074;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=PNsnFRtx0GTlzGiTySEEkikY6bEysngPXY/quIReZh4=;
        b=vDeYlmUXvdQ8KwSL03RouJB7eR+ctsGcDRqhtzxH+Z/pVcCsWvRMbJz7hr0Lu2Ka7m
         8Ov3gvlX5F2cWhQBilaq+/3p4TJdNcENthocTJvETFw10F5EzQjBAxWwDfXZDRD0ir49
         lbfVCmAirzp6GZLff3Lhcfbn9noNmLlgUggG6SQocJmAX29dkZYEtzz2+xzK7Tqznzrs
         LmbcVZ8ZYvMqRkfj7gjoLF1Q4hbA2J+9Hr81Ixxc9XuOUUazVOYQEKXV05UYFVHhXt7r
         erjN9BdHc2VhsRHGfHWOTfmrqzJn8dgJ3QjdtCKIKIEv2LAIWkjZe69eKJTZZ358yQFi
         OA7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094274; x=1724699074;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=PNsnFRtx0GTlzGiTySEEkikY6bEysngPXY/quIReZh4=;
        b=V1+bwzqiltIfXuZUsW/+9kd6JD0pH8TjKi7j3mnbllO55RfCG5EEAMw0aNT/DjbuDS
         aAwTyTK9+Kw5NFL693DOkBJOPPcBjfDvWrkp7tHGGhG+JOQkLEwBT0O4ExzUdoSjmqDe
         2juRj4V9BhRt+4AuIVvJ6fYV0KSR1hlq+PMeDhpG5FyWMzmgh4HqboUYIzWI1tNA/Yqd
         60NtsOVHxpfDEk2BwCj6B4xO74Dq4qD0csllUi5ElVGpIEZL+XEHhkycuLORZVlfzx7R
         dyalGhtAJhYpz1nd2jHxvmUTnYHU3sOPo0idK3ma2T+EGXEjPPWbCbkLsf9lvb6+NbqK
         KwBw==
X-Gm-Message-State: AOJu0YxNfGBIjVp/PYfq4ROtuTmwIYnvfENetBknkvI5BdEM6GvzCcO2
	krbwUfac3wJ+6VSfvY6NKJWAZZWnsMe5mlwTXl1tDtOyMcJj/3W8AimIVIYpdhMsptqaxs19Aej
	/
X-Google-Smtp-Source: 
 AGHT+IH/tQag3z1K69EY6szuGGxrisbwrg3ocn7FNPMaO3EpcnpgmQLoTZ5ZmZopPhdXDsLILvANqw==
X-Received: by 2002:a05:6214:3d07:b0:6b5:e895:82f0 with SMTP id
 6a1803df08f44-6bf7ce5f9c0mr159814596d6.43.1724094274545;
        Mon, 19 Aug 2024 12:04:34 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:34 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 01/14] qemuarm64-secureboot: Introduce uefi-secureboot
 machine feature
Date: Mon, 19 Aug 2024 13:04:16 -0600
Message-ID: <20240819190429.2897888-2-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:44 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5967

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/conf/machine/qemuarm64-secureboot.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
index 55c4cab4..2669be0c 100644
--- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -23,3 +23,4 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
 
 MACHINE_FEATURES += "optee-ftpm"
+MACHINE_FEATURES += "uefi-secureboot"

From patchwork Mon Aug 19 19:04:17 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47948
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2331FC3DA4A
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:44 +0000 (UTC)
Received: from mail-qv1-f42.google.com (mail-qv1-f42.google.com
 [209.85.219.42])
 by mx.groups.io with SMTP id smtpd.web10.1075.1724094276802937628
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:36 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=stPNV4HR;
 spf=pass (domain: linaro.org, ip: 209.85.219.42,
 mailfrom: javier.tia@linaro.org)
Received: by mail-qv1-f42.google.com with SMTP id
 6a1803df08f44-6bf7a2035d9so35723136d6.1
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094276; x=1724699076;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=O7LQHgRISQHcfF0QLO2liZofRFwc99d3sVsZckNqcRY=;
        b=stPNV4HRN7RutA1L+sdsO8bJ3yERNYbc5Dn55SUiNqiTAuvmIueCOKrZzm2qFytrDo
         yPIKSzZwbeBb2aqWxAG1yV4sUSNWHmOEXT4SkyIUOXA5GPceyvtgMTaxtpbC+tv+LnKg
         2D8hFWpXBZhbdv3Lf8pd6FRqF9nH9X4j8hV9bIeQ7thoYJLZ1BAmEl1G98cg2TjDE20o
         F5+MNAYtrqItinqgr9feko7eqAnmHYYweWmqQk/th5tD9jaoj+QyG8dhSqXP0QXSBH9P
         R/WY4VPUs16wE2vlCIg+PtgqYomY7gE+Z1CgVGkJKxJnAjV1mfXdwYaeLp38Wyw/E96n
         cgdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094276; x=1724699076;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=O7LQHgRISQHcfF0QLO2liZofRFwc99d3sVsZckNqcRY=;
        b=wIa7W0byjSExTYAgfMkSGBHxfcdLy/wK/Qkr4D31gEdhQG4nLmtI94+US8sz2HGLqH
         OKw+CMtoxvKxLwzAKRMQYjN1PlTyoZBbTD5ma2lYedvZd4R4hHbGVFVGY7F2Tgco8o8y
         geU/GJo0EY0BkRSOf6OGzGK2kw3BW/TAIlBDDyqfhpc8q1n+U7N9hSWTGU30WGQB3P7B
         7/aLWFxf2nMXhggOlzBN15VV3Fo+aPZlF2KG18cVMtY5AmPF+iA8ZTK5H7P1syG8OFZA
         gpjswx/vzNaJhNVk89KlG/10J4n4OEe4r0n/miNVGu3+A8s8XjVU15oPNupKVqpEOAjp
         dK9Q==
X-Gm-Message-State: AOJu0YzVBjImRe4ni4DVAySMmeyKjvLieAmoXmERgYYdjPS2z56WoxY6
	iE+i6SXiwGeAgDpWk0sFSBY15zH2B1sbCrJlcfHEXzosJzFKeuM7p3YzTfJOr4rXYZUhEKPc4Yi
	7
X-Google-Smtp-Source: 
 AGHT+IH/Ay6S5h4+LNykjTN6ubQcqYXcpLr9Lf90N09Upz4088EtasmjBYncF55sYTykdqDGfhUHfQ==
X-Received: by 2002:a05:6214:f0e:b0:6b5:2aa3:3a7f with SMTP id
 6a1803df08f44-6bfa8a66706mr9524636d6.20.1724094275718;
        Mon, 19 Aug 2024 12:04:35 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:35 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 02/14] core-image-base: Use UEFI layout disk partitions
Date: Mon, 19 Aug 2024 13:04:17 -0600
Message-ID: <20240819190429.2897888-3-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:44 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5968

- Use efi-disk-no-swap.wks.in disk definition to add expected UEFI disk
  partitions configuration.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../recipes-bsp/images/core-image-base-uefi-secureboot.inc       | 1 +
 meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend         | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
new file mode 100644
index 00000000..351e9030
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -0,0 +1 @@
+WKS_FILE = "efi-disk-no-swap.wks.in"
diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend b/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend
new file mode 100644
index 00000000..1f6dbd24
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'core-image-base-uefi-secureboot.inc', '', d)}
\ No newline at end of file

From patchwork Mon Aug 19 19:04:18 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47952
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5C327C5472D
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:44 +0000 (UTC)
Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com
 [209.85.219.46])
 by mx.groups.io with SMTP id smtpd.web10.1076.1724094278213070125
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:38 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=yeUOeFFB;
 spf=pass (domain: linaro.org, ip: 209.85.219.46,
 mailfrom: javier.tia@linaro.org)
Received: by mail-qv1-f46.google.com with SMTP id
 6a1803df08f44-6bf790944f1so22920216d6.2
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094277; x=1724699077;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=i3FMcrxoQMEjfxeuNGxbNN6+IFf/qUnBbfx9yY/tZpY=;
        b=yeUOeFFBliWw+KM1+Gb2k9OFhQRmIyV4bGUgzxfarxews6FX0e5CDNgYbXHt/H9ciT
         xfZtKR6oRqYNJ08bh77Zkzg3+OMOTOGQ8VMAS7nN9Vr36ZaNzrSJzI+7823ob/hWT3p6
         nO2bP/1W4K/34NDhEng6UmfUyub6l0xqJhYuCmp748ujGJB3+sRzzmBYgZDlQXxhKaja
         xne3GaIdxs4A1H2CV8EJvbRgNg84SnAwIpjlRcbWibvJeBDFTkWAvUMm+0w0jJ7tpuMb
         kmaVzbQXMwJ1BZNBbMv/8OfXJArluM7UwZ0c8FB5gMWfG0pRTFGXJ1vKnVbkG5CjQCyK
         7Yug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094277; x=1724699077;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=i3FMcrxoQMEjfxeuNGxbNN6+IFf/qUnBbfx9yY/tZpY=;
        b=Kv3GD4Fc9gVGjXo9KLdmGtJ2par8beqt4BlU1g2RQXsbYTAahUXNdSD2E0tvnp2eLI
         JwctSwQrXrtu5g7QoIMFUMpRTHfeUDkg35M5K0Y9BdsYBJruFagMw9UKNuu9oHpt0s08
         J1Xfut4xr2op6u5933Z/0+7JuAFzKld5cksxf7VTDVQ5CukpwryU3PkyuDHNGLNc5F3u
         +2zoftbMRe0CBR1j6aa0EAVQPAHULSzePY2KFwCpIy8lvMiWyYFN2sm2MSojRV+eFxi6
         4cde32puCAyLiCC8c98oP+xOnKwjbnGMXAox4ODe5ET8KBmF9Tr70cmr/gdBpsrJdO6d
         J74g==
X-Gm-Message-State: AOJu0Yxrc9UnHZ+H1kIBxyEZJW4t4jn+IxpCwp+Y9pT+KjM2wlrTrsrv
	NlBdvFnBwFv+z2cbL1LzIc8eX3CeInesT9P9RPcVHX/u54/6FYBIgRp+JMD+3qomIF5/b3aJ7yS
	F
X-Google-Smtp-Source: 
 AGHT+IGZF9fVdgO1nmOOkVCVUZmhyZo0h3gIuD2vV2JDhc03EC1Lz2fhle20Oegl5KeBEjlMZFlUQA==
X-Received: by 2002:ad4:4448:0:b0:6bf:7d52:6359 with SMTP id
 6a1803df08f44-6bf7d5267a9mr121244766d6.47.1724094277062;
        Mon, 19 Aug 2024 12:04:37 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:36 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 03/14] layer.conf: Introduce UEFI_SB_KEYS_DIR
Date: Mon, 19 Aug 2024 13:04:18 -0600
Message-ID: <20240819190429.2897888-4-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:44 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5969

UEFI_SB_KEYS_DIR saves UEFI keys path.

To avoid security issues, UEFI keys are not provided and they can be
generated by gen_uefi_keys.sh script.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/conf/layer.conf               |  2 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh

diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf
index 9e9c9dbd..2854dd69 100644
--- a/meta-arm/conf/layer.conf
+++ b/meta-arm/conf/layer.conf
@@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet"
 addpylib ${LAYERDIR}/lib oeqa
 
 WARN_QA:append:layer-meta-arm = " patch-status"
+
+UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"
\ No newline at end of file
diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
new file mode 100755
index 00000000..fc7f25c9
--- /dev/null
+++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
@@ -0,0 +1,35 @@
+#/bin/sh
+
+set -eux
+
+#Create PK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+
+#Create KEK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
+sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+
+#Create DB
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
+
+#Create DBX
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
+
+#Sign image
+#sbsign --key db.key --cert db.crt Image
+
+#Digest image
+#hash-to-efi-sig-list Image db_Image.hash
+#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
+
+#Empty cert for testing
+touch noPK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
+

From patchwork Mon Aug 19 19:04:19 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47951
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 41679C52D7C
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:44 +0000 (UTC)
Received: from mail-qv1-f49.google.com (mail-qv1-f49.google.com
 [209.85.219.49])
 by mx.groups.io with SMTP id smtpd.web10.1077.1724094279526481953
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:39 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=qos3LyxT;
 spf=pass (domain: linaro.org, ip: 209.85.219.49,
 mailfrom: javier.tia@linaro.org)
Received: by mail-qv1-f49.google.com with SMTP id
 6a1803df08f44-6bf775d1bdfso24270276d6.1
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094278; x=1724699078;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=SLHu6PRlZnCzW/rU1UEj78mshvoxk7WjoojsTwAZ3/I=;
        b=qos3LyxTTJ4WPILZPSPWysvFIz48fHhtHdq2miHYcn+O2BN78/ARXIvE0yUMJWgLpR
         YV+tyhU5lsJKpP3AiM2XRNqbLGzSiuB4jArQbwPCsj8hNTZEfQx7ZQkTkAZO6kNG5x7K
         2jIphfr6rZ1Eq7oA91lLxZnWhtau26Vy+wxqrTGKMYK8OE2rXrra/87THTovcLaOeDsE
         DBtY/HzrIhuEOraprO0Ge9OfxY4SqFA91aNfouxVSmTBlN57KaUHCSf5KuAOA4j55vhx
         evQ+8Le44ga0+SJhiq5fBalveUEpX2F9e1ruz54x5M0dzeDwsyQNltSwexDqwRMXjqFL
         b0KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094278; x=1724699078;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=SLHu6PRlZnCzW/rU1UEj78mshvoxk7WjoojsTwAZ3/I=;
        b=BWmKCE6TBVtl0ww1WCA52cmx77z+nXZ8aZpIq8H3cYvSOHzYmBSNuBGi4ivs330QPu
         pxOIAm+cgemI2QQxbxMm4BuYTtHTDP7Gk+qa58r4xH+H0ik17yRMOcOHW+aNrZI3d2RJ
         /eDct7ZcBOsBG+MSg5ctKSyEB7lO0XTgT5v1MbyMP3dfAzSVYAKotEzfZoW9ePTOi1nB
         7cLwJZagvM0L/MALA/cPkKNWkS6WcuW1QOpyxAbrgMaC6fmn6g/DAKeGVgaQSpCGrA80
         pF6V8+12r5sGbZW2Qdlbvc6SPjgdeG1t0NAV8F8e9shGbqD29IhtYqXXaZy55QGP7o/5
         22zw==
X-Gm-Message-State: AOJu0Yx2U4ZvbI0Tplk+GuwGJ7rPZOUaJ5uaU/FOQ8IYB06IPueqwejr
	8fX+u9Fq+Ub2hx04NIdSw39kV2uy8suIblbBKtTKterpZl9mAmUL3cvRmKJqWy1gqrRiBIVkeyF
	A
X-Google-Smtp-Source: 
 AGHT+IGHqAABdsh1wMdVFKIlj+Rsc+lIi0I6KmUcwxH203pLHhpLcYthEw5K8ABeOLzvHlRcnmTE5A==
X-Received: by 2002:a05:6214:5f01:b0:6b5:936d:e5e9 with SMTP id
 6a1803df08f44-6bf7cdf0a71mr175759536d6.26.1724094278263;
        Mon, 19 Aug 2024 12:04:38 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:37 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 04/14] uefi-sb-keys.bbclass: Add class to validate UEFI
 keys
Date: Mon, 19 Aug 2024 13:04:19 -0600
Message-ID: <20240819190429.2897888-5-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:44 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5970

Without UEFI keys, signing will fail and the OS will not boot.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass

diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass
new file mode 100644
index 00000000..e800b4c6
--- /dev/null
+++ b/meta-arm/classes/uefi-sb-keys.bbclass
@@ -0,0 +1,24 @@
+# Validate UEFI keys
+python __anonymous () {
+    if d.getVar("UEFI_SB_KEYS_DIR", False) is None:
+        raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.")
+
+    # keys used for UEFI secure boot
+    uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR")
+
+    keys_to_check = [
+        uefi_sb_keys + "/PK.esl",
+        uefi_sb_keys + "/KEK.esl",
+        uefi_sb_keys + "/dbx.esl",
+        uefi_sb_keys + "/db.esl",
+        uefi_sb_keys + "/db.key",
+        uefi_sb_keys + "/db.crt",
+    ]
+
+    missing_keys = [f for f in keys_to_check if not os.path.exists(f)]
+
+    if missing_keys:
+        raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), )
+            + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys)
+
+}

From patchwork Mon Aug 19 19:04:20 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47949
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 33EE1C54722
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:44 +0000 (UTC)
Received: from mail-ot1-f45.google.com (mail-ot1-f45.google.com
 [209.85.210.45])
 by mx.groups.io with SMTP id smtpd.web10.1078.1724094280447915289
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:40 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=pfcfI9Hn;
 spf=pass (domain: linaro.org, ip: 209.85.210.45,
 mailfrom: javier.tia@linaro.org)
Received: by mail-ot1-f45.google.com with SMTP id
 46e09a7af769-70c9cda7f1cso2092293a34.3
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094279; x=1724699079;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=jKeLT5wECjxCPh0q9TVfT28Dr9BXXolYW1ml7VAYpJM=;
        b=pfcfI9HnT0NrVtu8N199qBpL80Om+PNCzYgCqGg+n12Ddzs9KcGdFE7LqAWioYBpf6
         9SVinnPSfvDU/uC9Zz/x3ODZTlcL5vsy+64008J9SrECai4jbItHOQG1TcQRDghQJkgx
         8YLNDzitriENWZpY4NWvJMoYiJms3HVjcQ7QILVg3641uu6wUensqn6VxlXQes+J3k/b
         SVOVxVmcuK/wXLYiNXY9gzqMV5gKcU2i2Pbrmx/xNsedD3X300WzQT+HVTKzY8Nxs99f
         whZMOLj/B+yxHEktip0wag/Zkj6KelaL4icXn6hTVxdJeiC4bNQY1WX4EemV+xTr+1XZ
         Qssw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094279; x=1724699079;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=jKeLT5wECjxCPh0q9TVfT28Dr9BXXolYW1ml7VAYpJM=;
        b=P5d5FxNCjxjMW0TNkg+4xWNCpWHPTwdwHUDuk0KaeczCF/8Sa/2DcvIRmDWy9ZI+iU
         uGXtrVa2yFHjU9VTXtKO0ztGJWkIaCHSaob2TM5kZM/8QLFnoVaaM/+cYAk228zoXLpm
         BfdBPqJ8o7dXKQGhDNvMfBvZE3cG2unKGsOhytDmLOsdm+8n36I7uWzEgcXrJNxhyPRY
         TxO9lALZe7/WlY6c3DQjA710Dmiog+cErDWRlEPZbahBkkusQcb9Eeuz9lXb0OTR0px3
         2TsqDXZ+WFxV2v4EN/EDSAO3hlJVhtPgRfHh2ZR6umUJYKzlwOTD45sD2gqZndmWfoDb
         JM1Q==
X-Gm-Message-State: AOJu0YyIn1YnDQieR7rs7WYyoyVjnlUkk5JKtJq8SnirUuGMGw2qoCim
	d1SrHO0IA/P/sXQTGThxAgybqV3y+fpuC7UyiLxqPa/lDy4UhqnHShL9n4gl3uXYlZOSM5v6Yx7
	j
X-Google-Smtp-Source: 
 AGHT+IGl9zjip+zKJEqQr9kUBExE0TehQSKdjVO0Ft9fd1E1eRujsoCdHtu3uDledLpdl8OaXdWLMQ==
X-Received: by 2002:a05:6830:6c88:b0:70d:ee3a:ea6e with SMTP id
 46e09a7af769-70dee3aee19mr249116a34.28.1724094279473;
        Mon, 19 Aug 2024 12:04:39 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:39 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 05/14] sbsign.bbclass: Add class to sign binaries
Date: Mon, 19 Aug 2024 13:04:20 -0600
Message-ID: <20240819190429.2897888-6-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:44 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5971

A lot of recipes are using these same steps to sign binaries
for UEFI secure boot.

Authored-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 meta-arm/classes/sbsign.bbclass

diff --git a/meta-arm/classes/sbsign.bbclass b/meta-arm/classes/sbsign.bbclass
new file mode 100644
index 00000000..a99c0218
--- /dev/null
+++ b/meta-arm/classes/sbsign.bbclass
@@ -0,0 +1,39 @@
+# Sign binaries for UEFI secure boot
+# Usage in recipes:
+#
+# Set key and cert files in recipe or machine/distro config:
+# SBSIGN_KEY = "db.key"
+# SBSIGN_CERT = "db.crt"
+#
+# Set binary to sign per recipe:
+# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign"
+#
+# Then call do_sbsign() in correct stage of the build
+# do_compile:append() {
+#     do_sbsign
+# }
+
+DEPENDS += "sbsigntool-native"
+
+SBSIGN_KEY ?= "db.key"
+SBSIGN_CERT ?= "db.crt"
+SBSIGN_TARGET_BINARY ?= "binary_to_sign"
+
+# makes sure changed keys trigger rebuild/re-signing
+SRC_URI += "\
+    file://${SBSIGN_KEY} \
+    file://${SBSIGN_CERT} \
+"
+
+# not adding as task since recipes may need to sign binaries at different
+# stages. Instead they can call this function when needed by calling this function
+do_sbsign() {
+    bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}"
+    ${STAGING_BINDIR_NATIVE}/sbsign \
+        --key "${UNPACKDIR}/${SBSIGN_KEY}" \
+        --cert "${UNPACKDIR}/${SBSIGN_CERT}" \
+        --output  "${SBSIGN_TARGET_BINARY}.signed" \
+        "${SBSIGN_TARGET_BINARY}"
+    cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned"
+    cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}"
+}
\ No newline at end of file

From patchwork Mon Aug 19 19:04:21 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47950
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 33F1AC5472C
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:44 +0000 (UTC)
Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com
 [209.85.210.49])
 by mx.groups.io with SMTP id smtpd.web11.1045.1724094281609132225
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:41 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=B2B1l/L9;
 spf=pass (domain: linaro.org, ip: 209.85.210.49,
 mailfrom: javier.tia@linaro.org)
Received: by mail-ot1-f49.google.com with SMTP id
 46e09a7af769-7093b53f315so1699079a34.2
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094281; x=1724699081;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=d4QveURaOEPjRXZzrUewBCfHkU+UFxipcUv9I+R+wcQ=;
        b=B2B1l/L9ZieQKhmtI9InrwVXIcJ6C9/kxxu94hIluItPbO0uyXCmA6TPogu/6mU7nf
         ZMeimhzVaMTAJKyzKFjBBss54COlM+bT3Tjoz2PmiZS7g2HXtpNz9mq0BoMOW1g5K4g7
         GVVfgR7aoZYA22cmj5OJuDgJ3arPjtmpziMNdrcVv6dXlQQEBEQQVzLk61WVFNpOzPz0
         beR5qJ1OLIzrNvYVMVpV8EAR1eliqPwfwa+WeZ8ZJBwnUNlNJ4JrBd7+7OO2CuVrGGK0
         EOMpImgcynO+bZSZaFbvbXXZ3fmJLq3eK3VLxDIglcX6U6FF0KaSYpfmsqO/zA8bAPnA
         m01w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094281; x=1724699081;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=d4QveURaOEPjRXZzrUewBCfHkU+UFxipcUv9I+R+wcQ=;
        b=CcSn41OuMsJKisI8cDElQ6ZsO7EfoWoSblCw+TLk6v+Jwftq18I9zrYFFiqnAiOcj8
         qoQDURjzynokGfadO0+zjt6yY5zWIRuRZ254bCkLEAkDfXD7VVhjljw5TN6xPInxnO2y
         YRN8Eg7FO+H/fnohG4t+Z45XCofQ1Eia6lvN88Yyrs68F5JVwzpdQ8K9TCWIoTHa1gZY
         z22j6NTCwM9RWPLwBVGb1u3RGlIlZSlvvEQ1AaLk1PxodAwt3wK/Pbt/2+PoiCFTM+ol
         7PgU+/Ta8qClXl/LA0WCM6uhewAcPDOjUalzwdmqMfmpg2Yi3K86O1IplPo0PHQLS98g
         RuYA==
X-Gm-Message-State: AOJu0YzDZk0a4755tNKt9a2uqxwi+2Jr+elMwYdSXRuwiYA4vSLRZjSZ
	ymh5Yb2ua/pwHrBGyQX+fCEju7k/MNk4z1LxoCn/eNjN6B6PqxegoDMYD8QNjbqHUPv0uzdGaqI
	I
X-Google-Smtp-Source: 
 AGHT+IETqu+4IhTh3XYa8bl0TYN7HzgRJGBNjibvzIcKEqCuCriezTRK7fMwCIuJp9hiqFChINXzUw==
X-Received: by 2002:a05:6830:6388:b0:704:4abf:c0d6 with SMTP id
 46e09a7af769-70cac86e087mr14557849a34.20.1724094280668;
        Mon, 19 Aug 2024 12:04:40 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:40 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 06/14] core-image-base: Inherit uefi-sb-keys
Date: Mon, 19 Aug 2024 13:04:21 -0600
Message-ID: <20240819190429.2897888-7-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:44 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5972

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../recipes-bsp/images/core-image-base-uefi-secureboot.inc      | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index 351e9030..2232d3b3 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -1 +1,3 @@
+inherit uefi-sb-keys
+
 WKS_FILE = "efi-disk-no-swap.wks.in"

From patchwork Mon Aug 19 19:04:22 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47947
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 25F40C5321D
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:44 +0000 (UTC)
Received: from mail-qv1-f50.google.com (mail-qv1-f50.google.com
 [209.85.219.50])
 by mx.groups.io with SMTP id smtpd.web10.1080.1724094283184251129
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:43 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=bcAoTUiD;
 spf=pass (domain: linaro.org, ip: 209.85.219.50,
 mailfrom: javier.tia@linaro.org)
Received: by mail-qv1-f50.google.com with SMTP id
 6a1803df08f44-6bf84c3d043so15825526d6.3
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094282; x=1724699082;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Y6cnGubIUPfqUNMZsTLbuxSnui3vnRbhrJbBfO5KvAM=;
        b=bcAoTUiDPs9gVw9fdHiWR0mrrs4dVkOnO4aPMx3bT1fAX59YzmkzX3+vuUF1gaaStN
         JOkvtwvUOnKtKUnIL4ruXkffXxXsOX/GKCMSgZJ1Osq2qHaApfjq3+9egF2jgAW+PbuY
         WOfIe9l9uKP9BtZTNWCaVqe7Lnbj2QAEw0DPx3WZjSIAM26Kmh2b4I4Q7ljnoYpCP5v6
         N/A8crU4N/jbWl/kCHXvn6qxg99nx8cMeA2bnDC+dcdrvpDBZnL5aO2rZj2gYAbRRwLc
         E477wdpdvBN9xk+HhxpwC1k7Z1uYtLu3H+AZI2Qa4vPWxcUIUFp6L2yV3B9lnqmZ8t2l
         Oq7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094282; x=1724699082;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Y6cnGubIUPfqUNMZsTLbuxSnui3vnRbhrJbBfO5KvAM=;
        b=HBAAnS5mfymgyh2w0UZt9PefB8TCNGGnvKJyWjwFTMNRAQ0BAidHzWiNtsFNhWsxHE
         mZ9wfnw/+6a1SA+uP3MUP5gIZn+SO9oP+Kt4zxU5IDa1agNqlglKkXps8zuptgKt6FZQ
         ryPDRodnTXmMKFjVBJcLNYECTPPIkCpj8oNYCBhCtczBQNWOrWC3vOoqWkKQMhV2xZzg
         p2CGZjJ8TNtarW5mxmZcPXC9dLQF37xY7fPCEOwMUX6HDYwP2ILjO2YZCY+p3XWGYEvZ
         l5HC7P/sT1v00x5xKoryF9f7yyX+W1nIsuA8ZD7i6Te2RWXaAGKN5KDxBWG/QTmjN2vk
         VnMw==
X-Gm-Message-State: AOJu0Ywkcn5x/SRlk+Ayts56wde/99T1ezI/ZlSz4Gosf8XhFM9zybt7
	J+KKg6/AUi6cSJBIv1EHrXE+6stXhe7MgZV9YFylesQt7+9gS3S2GBqh0OrP1R7dRy5utQmr3YS
	0
X-Google-Smtp-Source: 
 AGHT+IGLi/fK7gboV6V10W2/Ipz6aR1Y+RPypFMSJPncB7RhI/8GltEYEi2Xi7HRZA6/2wYwrDkpgw==
X-Received: by 2002:a05:6214:311e:b0:6b5:eba0:d0ab with SMTP id
 6a1803df08f44-6bf7cd999d4mr115243006d6.15.1724094281898;
        Mon, 19 Aug 2024 12:04:41 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:41 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 07/14] meta-arm: Introduce gen-uefi-sb-keys.bb recipe
Date: Mon, 19 Aug 2024 13:04:22 -0600
Message-ID: <20240819190429.2897888-8-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:44 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5973

Generate a new set of keys on build time. It avoids to use same keys
which could generate a security issue.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++
 meta-arm/uefi-sb-keys/.gitignore              |  4 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 56 +++++++++----------
 3 files changed, 57 insertions(+), 29 deletions(-)
 create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
 create mode 100644 meta-arm/uefi-sb-keys/.gitignore

diff --git a/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
new file mode 100644
index 00000000..a4ae6d87
--- /dev/null
+++ b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
@@ -0,0 +1,26 @@
+# SPDX-License-Identifier: MIT
+
+SUMMARY = "Generate UEFI keys for secure boot"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+DEPENDS += "bash-native"
+DEPENDS += "coreutils-native"
+DEPENDS += "efitools-native"
+DEPENDS += "openssl-native"
+
+SRC_URI = "file://${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh"
+
+UNPACKDIR = "${S}"
+
+do_fetch[noexec] = "1"
+do_patch[noexec] = "1"
+do_compile[noexec] = "1"
+do_configure[noexec] = "1"
+
+do_install() {
+    ${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh ${UEFI_SB_KEYS_DIR}
+}
+
+FILES:${PN} = "${UEFI_SB_KEYS_DIR}/*.key"
+FILES:${PN} += "${UEFI_SB_KEYS_DIR}/*.crt"
diff --git a/meta-arm/uefi-sb-keys/.gitignore b/meta-arm/uefi-sb-keys/.gitignore
new file mode 100644
index 00000000..f8669919
--- /dev/null
+++ b/meta-arm/uefi-sb-keys/.gitignore
@@ -0,0 +1,4 @@
+*.auth
+*.crt
+*.esl
+*.key
\ No newline at end of file
diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
index fc7f25c9..21e65c72 100755
--- a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
+++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
@@ -1,35 +1,33 @@
-#/bin/sh
+#!/bin/bash
+#
+# SPDX-License-Identifier: MIT
+#
 
 set -eux
 
-#Create PK
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
-sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+KEYS_PATH=${1:-./}
+SUBJECT="/CN=Linaro_LEDGE/"
+GUID="11111111-2222-3333-4444-123456789abc"
 
-#Create KEK
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
-sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \
+    -keyout "${KEYS_PATH}"/PK.key -out "${KEYS_PATH}"/PK.crt \
+    -nodes -days 3650
+cert-to-efi-sig-list -g ${GUID} \
+    "${KEYS_PATH}"/PK.crt "${KEYS_PATH}"/PK.esl
+sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \
+    "${KEYS_PATH}"/PK "${KEYS_PATH}"/PK.esl "${KEYS_PATH}"/PK.auth
 
-#Create DB
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
-sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
-
-#Create DBX
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
-sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
-
-#Sign image
-#sbsign --key db.key --cert db.crt Image
-
-#Digest image
-#hash-to-efi-sig-list Image db_Image.hash
-#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
-
-#Empty cert for testing
-touch noPK.esl
-sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
+for key in KEK db dbx; do
+    openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \
+        -keyout "${KEYS_PATH}"/${key}.key -out "${KEYS_PATH}"/${key}.crt \
+        -nodes -days 3650
+    cert-to-efi-sig-list -g ${GUID} \
+        "${KEYS_PATH}"/${key}.crt "${KEYS_PATH}"/${key}.esl
+    sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \
+        "${KEYS_PATH}"/${key} "${KEYS_PATH}"/${key}.esl "${KEYS_PATH}"/${key}.auth
+done
 
+# Empty cert for testing
+touch "${KEYS_PATH}"/noPK.esl
+sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \
+    "${KEYS_PATH}"/PK "${KEYS_PATH}"/noPK.esl "${KEYS_PATH}"/noPK.auth

From patchwork Mon Aug 19 19:04:23 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47954
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 65316C52D7C
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:54 +0000 (UTC)
Received: from mail-qv1-f54.google.com (mail-qv1-f54.google.com
 [209.85.219.54])
 by mx.groups.io with SMTP id smtpd.web10.1081.1724094284426175061
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:44 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=qA6vawxw;
 spf=pass (domain: linaro.org, ip: 209.85.219.54,
 mailfrom: javier.tia@linaro.org)
Received: by mail-qv1-f54.google.com with SMTP id
 6a1803df08f44-6bf790944f1so22920876d6.2
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094283; x=1724699083;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=4i8i4tDl/w+2Hz1m76fbFHZdoBoOcID//NRfTskNKvw=;
        b=qA6vawxw0C8gn32R3xXKtrqeBylBmLo4oTYSvvTHDtb2hcfWRzVMcoY/YvfeHSeT0k
         tVVV5Yte4OTtnsxMoa7Cv0LcCPvaPWm+8ViLI2+ZXPfujr+DuU65WNh+nez8IYUd2YnL
         YfQ6jz2gZNqwiV5RYFOXKsdvC/t6Q032g3KstGFp+Pgd2oUh+s7rpAqZkRpc6juNMun/
         17F/lDoPVC7OCNqX9KI65ZSM+YfrtHGghsqGu8xwFaezVkXaBtwqM1IU4c85u00MZsjB
         +3J+Yqx3wm29SCLMkoxryCFM2zh+NPYO7UltIyoMmL5PxOm/ALSVGjKZqM1nPwxsGTHX
         B70g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094283; x=1724699083;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=4i8i4tDl/w+2Hz1m76fbFHZdoBoOcID//NRfTskNKvw=;
        b=ZCXh0B3OzQhJLCfjA2gvza6R7WylsoSVEAHUpLbNY8htjCiDtEUW2G47tTBatawZ3S
         eytEok+8KGZi37qmj9cLUGqepSmrP6CzOlVk/TIJLWgn5egQJ0wQ689xZP1bmO3mE5P6
         PjTt3XhH97AHwIvIeEzMBDim/gFYVNna0QTM8FDyS8M9dzCNekArN3bMOcsERp29v6Ab
         TOac2aBvzCn7UCTwgIwN2EZoeL9C9GAa5zKQqIpyS4cR0h1v66einfhFt9O8clwgISO5
         Y+YX6BwXMbu1O51tDbOVWn85DUU8ULblT1OjVetVa8eO9GOWDMFiKCV6ZOWthOdXIiEB
         ISQg==
X-Gm-Message-State: AOJu0Yw1CxNW9X8xM06hZtzJtLDz3Vq7pFIAfo5yezPaRBfSLROmEsHS
	jQpl5gS/0yBNAv/1nFi+7bV6LBiSDNWrF4JVMxjmHWHjpURo1DBGGtarulCcTyEZTN11CBOw/Pd
	C
X-Google-Smtp-Source: 
 AGHT+IEcsisHO0WerHea0suK8gTWMUtdXGVaMkMTiK/aflctPHDxVQMBckK+rFuWXkeA02yw6T1VWw==
X-Received: by 2002:a0c:ff28:0:b0:6bf:8891:e305 with SMTP id
 6a1803df08f44-6bf8891e505mr74266436d6.17.1724094283107;
        Mon, 19 Aug 2024 12:04:43 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:42 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 08/14] u-boot: Setup UEFI and Secure Boot
Date: Mon, 19 Aug 2024 13:04:23 -0600
Message-ID: <20240819190429.2897888-9-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:54 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5974

Add U-Boot minimal UEFI definitions.

Embedded UEFI variables with the keys previously generated. It's to
enable UEFI Secure Boot and verify the authenticity of the firmware and
operating system.

When U-Boot is built with UEFI support, it includes a set of efivars
that are used to store the Secure Boot variables. These efivars are
embedded in the U-Boot binary and are stored in the flash memory of the
system.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../u-boot/u-boot-qemuarm64-secureboot.inc     | 18 ++++++++++++++++++
 .../u-boot/u-boot/uefi-secureboot.cfg          | 10 ++++++++++
 .../recipes-bsp/u-boot/u-boot_%.bbappend       |  2 +-
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg

diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
new file mode 100644
index 00000000..ffad08e4
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
@@ -0,0 +1,18 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://uefi-secureboot.cfg"
+
+UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm"
+UBOOT_ENV_NAME = "qemu-arm.env"
+
+DEPENDS += 'python3-pyopenssl-native'
+
+do_compile:prepend() {
+    export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
+
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk  -d "${UEFI_SB_KEYS_DIR}"/PK.esl  -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db  -d "${UEFI_SB_KEYS_DIR}"/db.esl  -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file
+    "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
+}
diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
new file mode 100644
index 00000000..d2edb5fb
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
@@ -0,0 +1,10 @@
+CONFIG_CMD_BOOTMENU=y
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="bootmenu"
+CONFIG_USE_PREBOOT=y
+CONFIG_EFI_VAR_BUF_SIZE=65536
+CONFIG_FIT_SIGNATURE=y
+CONFIG_EFI_SECURE_BOOT=y
+CONFIG_EFI_VARIABLES_PRESEED=y
+CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
+CONFIG_PREBOOT_DEFINED=y
\ No newline at end of file
diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
index 11f332ad..ee815b6a 100644
--- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -5,6 +5,6 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc"
 MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc"
 MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc"
 MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc"
+MACHINE_U-BOOT_REQUIRE += "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}"
 
 require ${MACHINE_U-BOOT_REQUIRE}
-

From patchwork Mon Aug 19 19:04:24 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47959
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9CB45C5472E
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:54 +0000 (UTC)
Received: from mail-qv1-f52.google.com (mail-qv1-f52.google.com
 [209.85.219.52])
 by mx.groups.io with SMTP id smtpd.web11.1048.1724094285395503332
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:45 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=LHjVRLiM;
 spf=pass (domain: linaro.org, ip: 209.85.219.52,
 mailfrom: javier.tia@linaro.org)
Received: by mail-qv1-f52.google.com with SMTP id
 6a1803df08f44-6bf6755323cso27707376d6.1
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094284; x=1724699084;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=c5+tBxeFbiWkfJkiZMiVStk0WUgY+OMHmCiMHBeRQPM=;
        b=LHjVRLiMMX4r8IoVWd5gslwpjEcFs6TODUB1MJaJqd+FLZ5roNLCkMgFOafiYRIGJC
         sa6ypJEP6eT0f1yzvWRUQ+zdVbqUXI8pG3VyC03ue5RTLV1mFZU+W0YAOLAMxxcQviQF
         4laC8W0tJJXADYI1ZLNDyhYT7qDeL2fORFWqbJNIyvOZQA4HRVWktSkBdWBmSuamI6Hr
         Wf9JqxgWu1D0BGI92ZAC+IIQsRkKsGLmqugR+LrHe+3CXJeP2Z3fF7NxZffcEgfCzx+m
         CXRRVy0oIgHm2h/KVDecih20FYU/dVPepqcd17q6eGwRNZ2eRINFvlyoy4SD/1ZbFpc2
         0sGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094284; x=1724699084;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=c5+tBxeFbiWkfJkiZMiVStk0WUgY+OMHmCiMHBeRQPM=;
        b=KeE5y4ZS3pw/WBR6f5Ieu/Ql/4W+YGUH8AxlP0Cb+2K1HY0oQYpmgtIobVFRmOvkKS
         /jm0wifcGTnO6rjzornAvZSijkgRAm0T1g0HkBPsCL9KSjlsUiWxgiUZv+OpcXLkmwTg
         IzgFRZxVWpX4gv7rwJckvrpTq5ttSlDDUB00VQSPbJt2lov3n2R18bmyWCePHZ0dbVeR
         k6tIxmcftf3fkKZ4H0aGPkYr3QlML7BW17+qO7wV9sMZJtipU6mxSrHX+0AAEc3e+Jac
         KjVwzBmHVpTk1jVV7Rj8sposbwsNQ9c4Axk7K/BL7aAZ4odwAKxZstEbRRtbbPJtDaVc
         tzcg==
X-Gm-Message-State: AOJu0YzZSXBGqdZAkgXHFrLehnQm30oEfJjEiggUyrCi46MjlmdnxWEC
	JwSQlBxa1ja8zc3mj/tg4F3l3O1sgEG+GXxG2vCfFEuNkhn9dPDLBkFCN3P3kqL32btqxfOtPdP
	H
X-Google-Smtp-Source: 
 AGHT+IFvKL/xkufVRkZtTMzEAIDkYFrA3etYpPtNckcv59h93Ow8/ChnnBvscsoNpT81lu/BHxcLRQ==
X-Received: by 2002:a05:6214:524a:b0:6bb:7a04:3408 with SMTP id
 6a1803df08f44-6bf7cd85850mr159229366d6.11.1724094284314;
        Mon, 19 Aug 2024 12:04:44 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.43
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:43 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 09/14] qemuarm64-secureboot: Add meta-secure-core layer as
 dependency
Date: Mon, 19 Aug 2024 13:04:24 -0600
Message-ID: <20240819190429.2897888-10-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:54 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5975

meta-secure-core is required because of sbsigntool.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 ci/qemuarm64-secureboot.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
index b26941e0..958a1ff1 100644
--- a/ci/qemuarm64-secureboot.yml
+++ b/ci/qemuarm64-secureboot.yml
@@ -4,13 +4,15 @@ header:
   version: 14
   includes:
     - ci/base.yml
-
-machine: qemuarm64-secureboot
-
-target:
-  - core-image-base
+    - ci/meta-openembedded.yml
+    - ci/meta-secure-core.yml
 
 local_conf_header:
   optee: |
     IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
     TEST_SUITES:append = " optee ftpm"
+
+machine: qemuarm64-secureboot
+
+target:
+  - core-image-base

From patchwork Mon Aug 19 19:04:25 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47958
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6525CC3DA4A
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:54 +0000 (UTC)
Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com
 [209.85.219.51])
 by mx.groups.io with SMTP id smtpd.web11.1049.1724094286785101291
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:46 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=pBjXFOAs;
 spf=pass (domain: linaro.org, ip: 209.85.219.51,
 mailfrom: javier.tia@linaro.org)
Received: by mail-qv1-f51.google.com with SMTP id
 6a1803df08f44-6bf7658f4aaso23588906d6.0
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094286; x=1724699086;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MNiYqaJ6/dp6Rz4Asy2D9hWleJVQzKyC4j+Ug6hTpEI=;
        b=pBjXFOAsGnoSTtfCuaTrTGyXVs6pKPZXN+nKZoC/gZn80dDmzWENwC4nUSOCW8m0aR
         nOUBNPM2iGIIamv/5NJQVy3jv0dK3QJsYdPtqAyuR6Fdrr6jl0wQbTNgZHYiEqqLXPwq
         a0E0TmniL6aZQ17RmjJPHAX+8/ewEu656UXdS351racgLe69WYX24zjKzrS5pkf0rtd8
         XT2Bmg/Wv+YrpyBFGg1fs3j/gCzKQHF2g2r/MmHyno2vNOjEw+DWqBnY0BB6nCnJEqCh
         28P3xPGtWe5ul40XSm01aUnH14EjfBCEPWYCDLL3Bp7kKtM/WU1X4G+2mM6c9rpwpEx2
         uUgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094286; x=1724699086;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=MNiYqaJ6/dp6Rz4Asy2D9hWleJVQzKyC4j+Ug6hTpEI=;
        b=N/E/40tPOSqak7EK/5qUSau6EFTEYUAqlpdMmPHAmRCJ2e0mU8LY7rAm2bqMvhGrfY
         /RCmIbZ8J3DtWWEKJV7GReLU5IIt8zv9SXpciKhyLYAF+SW9Qz8ympAZYPDspBleiDZZ
         6+xU9wloqeJtaqHPiJDkC3201maYikG5mGixIOJqLNpYqUH186veTzpZUtoUIn19qSgo
         OETbbcmtOfTsGLrN9JTRLd4TrNqlORfw7YvHyP9mnawfFH/pjpHVROaFMJz8OeTkaUDq
         +BBJrvrXtLAPS4WsvT+2I90Y0dFZHd16Z2MWC/C+x0cr8JbTL3cXj3qOBhdy2b+xR8pr
         uA8A==
X-Gm-Message-State: AOJu0YxKWcqISJh3Qt0qqL15Z1z7bFpP/5f3beE9qxvgbbCr7IicKaI9
	N52Qb33tSvJF/z3L/dDhigQrR1oO3/YaCVO4N+NF3y0jNVX/N50Rxj40NoqXA1cNNFvJ1Dkw8Go
	r
X-Google-Smtp-Source: 
 AGHT+IGxHbi+ZsyHAuAvahs/GWf223TGabh/8vTvU7vsS88GBunbzmS/QQl/G7Sca8ELtMM6YQIsTQ==
X-Received: by 2002:a0c:fcc4:0:b0:6bf:7d3c:a64d with SMTP id
 6a1803df08f44-6bf7d3ca727mr114239586d6.32.1724094285471;
        Mon, 19 Aug 2024 12:04:45 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:45 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 10/14] linux-yocto: Setup UEFI and sign kernel image
Date: Mon, 19 Aug 2024 13:04:25 -0600
Message-ID: <20240819190429.2897888-11-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:54 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5976

efivarfs kernel module is required to access EFI vars.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../core-image-base-uefi-secureboot.inc       |  8 ++++++++
 .../linux/linux-yocto%.bbappend               |  2 ++
 .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index 2232d3b3..06046f6e 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -1,3 +1,11 @@
 inherit uefi-sb-keys
 
 WKS_FILE = "efi-disk-no-swap.wks.in"
+
+# Detected by passing kernel parameter
+QB_KERNEL_ROOT = ""
+
+# kernel is in the image, should not be loaded separately
+QB_DEFAULT_KERNEL = "none"
+
+KERNEL_IMAGETYPE = "Image"
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
index a287d0e1..29c21355 100644
--- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
@@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \
 
 FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
 require ${FFA_TRANSPORT_INCLUDE}
+
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
\ No newline at end of file
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
new file mode 100644
index 00000000..cb62fdee
--- /dev/null
+++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
@@ -0,0 +1,19 @@
+KERNEL_FEATURES += "cfg/efi-ext.scc"
+
+DEPENDS += 'gen-uefi-sb-keys'
+
+inherit sbsign
+
+SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key"
+SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt"
+
+# shell variable set inside do_compile task
+SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE"
+
+do_compile:append() {
+    KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit)
+    do_sbsign
+}
+
+RRECOMMENDS:${PN} += "kernel-module-efivarfs"
+RRECOMMENDS:${PN} += "kernel-module-efivars"

From patchwork Mon Aug 19 19:04:26 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47960
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9A7DEC5472C
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:54 +0000 (UTC)
Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com
 [209.85.219.46])
 by mx.groups.io with SMTP id smtpd.web10.1083.1724094287782193907
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:47 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=EmaZQ8q+;
 spf=pass (domain: linaro.org, ip: 209.85.219.46,
 mailfrom: javier.tia@linaro.org)
Received: by mail-qv1-f46.google.com with SMTP id
 6a1803df08f44-6bf7ba05f75so30528446d6.0
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094287; x=1724699087;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=oCvAk01qrRdY3Y5k2RwMc1y4ZpcmHYI/JBaWSAotA/s=;
        b=EmaZQ8q+J43lixCTihZyUTipHUmj60r9w8/fGTgbvF5W5pMpdonfZCTkUVyicdN8Jr
         DL0EPkJsU6TY6JdvbKaXWjWlRnwVxF2yaybFDgMZW7ifnXIKhHJi3VGzbLyOYlyU2eEh
         OJjHGPZhbdcoF4JYC57WZP0FCUQHbE6U3/lMVbbWRsEy6KuonrmQTxCoQ9IEffWBwsaq
         RlwZMo1kGq+KpLRDXX1cryBZ/v1kBJFQqrCgjOUOtHIllw7TJaChUoYHxyBiA0Q2xGOn
         zsrUpvJuHsuZ//xxDKvhc6BOyDFBd5Ilv1IxTdd09HCq4mp57It9BtAOR/jxYa2NZaCl
         BLng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094287; x=1724699087;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=oCvAk01qrRdY3Y5k2RwMc1y4ZpcmHYI/JBaWSAotA/s=;
        b=QPBqcGmEqSLWSGVW/o5GpdLzdISWYH7wbvDJclU3YFDd4ytljej4bbOVzVx5hWjYlk
         aO7G6cJnPz1G2jVVNXwYjN4s4FvouHelYj2TCmJWUYaZt7Ris8uM70dFzEr2J8oqrVCS
         QZiekKAu3Pc0RoBVvfuirOp2+lLCavt086xPVF7prQLJxjZU1t+icQ2nMujgpBIjeuDc
         YVnM6DK+tcPc6wm1s3+prEcK57SRIMGOTl1UvTTyuuKRYtVkdgs0q0sxZHXG8l7yV/Zr
         +bdHTVXqBe3eBpJDMi+UyEYBZlKmoJngAIEc28eXVYT8kOJnMyura1sP5GfDFY4K7r4F
         UByw==
X-Gm-Message-State: AOJu0YwfmKIwjhyVgkax+U+pYULnjme5d6IqfHndZHbPl2IDaG30wtAy
	Z0DavUNtOMXCgo1ksIgdvr6iyLsk3xGyIFoLSzCUxGsStyK8v0CpY44fLehWRRfgcN4IaFdPfkX
	F
X-Google-Smtp-Source: 
 AGHT+IHRnT7nUUgfNa6m4y86NdvLIp7cpo7oRDN9xMmEYtUAaKaWbC/6rpAa2wuvP+pWjyp8GX6UBQ==
X-Received: by 2002:a05:6214:4613:b0:6bf:8a9c:1d0a with SMTP id
 6a1803df08f44-6bfa8a48ff1mr12212536d6.10.1724094286681;
        Mon, 19 Aug 2024 12:04:46 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.45
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:46 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 11/14] systemd: Add UEFI support
Date: Mon, 19 Aug 2024 13:04:26 -0600
Message-ID: <20240819190429.2897888-12-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:54 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5977

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../recipes-bsp/images/core-image-base-uefi-secureboot.inc   | 2 ++
 meta-arm/conf/machine/qemuarm64-secureboot.conf              | 5 +++++
 meta-arm/recipes-core/systemd/systemd-efi.inc                | 1 +
 meta-arm/recipes-core/systemd/systemd_%.bbappend             | 1 +
 4 files changed, 9 insertions(+)
 create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index 06046f6e..07e315a3 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -9,3 +9,5 @@ QB_KERNEL_ROOT = ""
 QB_DEFAULT_KERNEL = "none"
 
 KERNEL_IMAGETYPE = "Image"
+
+IMAGE_INSTALL += "systemd"
diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
index 2669be0c..79ab6080 100644
--- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -23,4 +23,9 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
 
 MACHINE_FEATURES += "optee-ftpm"
+MACHINE_FEATURES += "efi"
 MACHINE_FEATURES += "uefi-secureboot"
+
+INIT_MANAGER = "systemd"
+DISTRO_FEATURES += "systemd"
+DISTRO_FEATURES_NATIVE += "systemd"
diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc
new file mode 100644
index 00000000..5572e51a
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd-efi.inc
@@ -0,0 +1 @@
+PACKAGECONFIG:append = " efi"
diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend
new file mode 100644
index 00000000..660358c2
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)}

From patchwork Mon Aug 19 19:04:27 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47956
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 75F2AC54722
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:54 +0000 (UTC)
Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com
 [209.85.222.173])
 by mx.groups.io with SMTP id smtpd.web11.1051.1724094289326965511
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:49 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=CCDEUPYj;
 spf=pass (domain: linaro.org, ip: 209.85.222.173,
 mailfrom: javier.tia@linaro.org)
Received: by mail-qk1-f173.google.com with SMTP id
 af79cd13be357-7a1d0dc869bso339587085a.2
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094288; x=1724699088;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Q/r2Ucrd9qMllbfh6Tkmn1si3mm5VM1XainARIeqVZI=;
        b=CCDEUPYjk080c07IQkMdHaSoU4fCr1VrOarEfM6AGXXzmT0meGPQSA05ZTbHUE9Ywz
         zWz/xdRQz7efOOqzWaXF7JU2FMujmc+jDDeOVu2i3O39ra+zEuZYqaC4VlEqBawyoCqU
         QrrCt5usRqT0pksqa9hfeRH6/4HEgU4KeneXkcJaRqrVEadrl5jPUtZOzXjbtRMGilfM
         IRzRTvEmLtDqBxkqYdqm0odhc9Ldvrnj7v5dJLd9sGDroX2IsfkVFXP92SDIZJzJTVkN
         0LOWYsMcNdU5vqIHj/PWvpxxArTjb9RCw0atZ4YxFJ9Kb+zRxuimS7OsIswuS7bDcMVL
         ALXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094288; x=1724699088;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Q/r2Ucrd9qMllbfh6Tkmn1si3mm5VM1XainARIeqVZI=;
        b=SHH4x7DIRmZenBDuczYqKh2awIWiZz8r7DQZCC+3EJ7c7MPi7fRNv5Nvwja/TrH84f
         bHS+4E/1YEQIr4WkP2eUsOD5REX0BZeyiIsQeP6qSvCIrI+1dWw7UlfosRVZUfZEq0+X
         Fwr69vwSk3uhTNwWYhnfa/najBSxLld0pbWty/kXBasPFg+p5eyOoQHN8D2tNWUpQeu6
         16oMe7E/9GFoWz8nuC+BWbSBcB77MFWHwbFZBwEham3a9OvYS3O69rsWUsw0Q7AqjzMn
         9dBp9W/Ul/QzpNx1qDQsWLn+wDoeAHEyuTA7jQs0GKpUsz7zBMSeP6ven8+4gcd/UwyC
         9oOg==
X-Gm-Message-State: AOJu0YyYjBmDI56CaUb64G22wkXAxX0ofsR4n4mb7I/8fxeftABmcGmH
	hL6UUYWTuzE3e0w8pm8RI6BxzV+sToQVGM46O2dcgrgwvFrMDN7ciZP+aVsj/jPhtUcuHl94wAA
	O
X-Google-Smtp-Source: 
 AGHT+IFb0+mOOgX8jT9OaDMxeEgQTQ5vjasKJIZ4MPZIFX7UGGC5NboTPpK5kqt4ljR4PO/Z5oiiGQ==
X-Received: by 2002:a05:6214:3d07:b0:6b5:e895:82f0 with SMTP id
 6a1803df08f44-6bf7ce5f9c0mr159824486d6.43.1724094287900;
        Mon, 19 Aug 2024 12:04:47 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:47 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 12/14] systemd-boot: Use it as bootloader & sign UEFI image
Date: Mon, 19 Aug 2024 13:04:27 -0600
Message-ID: <20240819190429.2897888-13-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:54 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5978

As qemuarm64-secureboot is already using systemd as Init manager, use
too systemd-boot as bootloader. It has a simpler and more intuitive
configuration format compared to grub. It uses a single configuration
file that is easy to understand and modify.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../images/core-image-base-uefi-secureboot.inc       |  2 +-
 meta-arm-bsp/wic/efi-disk-no-swap.wks.in             |  2 +-
 meta-arm/conf/machine/qemuarm64-secureboot.conf      |  2 ++
 .../systemd/systemd-boot-uefi-secureboot.inc         | 12 ++++++++++++
 .../recipes-core/systemd/systemd-boot_%.bbappend     |  1 +
 5 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index 07e315a3..e5cf7760 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -10,4 +10,4 @@ QB_DEFAULT_KERNEL = "none"
 
 KERNEL_IMAGETYPE = "Image"
 
-IMAGE_INSTALL += "systemd"
+IMAGE_INSTALL += "systemd systemd-boot"
diff --git a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in
index 6ae7ad9d..6d77d3aa 100644
--- a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in
+++ b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in
@@ -7,4 +7,4 @@ part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label
 
 part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --exclude-path boot/
 
-bootloader --ptable gpt --timeout=1 --append="${GRUB_LINUX_APPEND}"
+bootloader --ptable gpt --timeout=5 --append="${LINUX_KERNEL_ARGS}"
diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
index 79ab6080..38acc97d 100644
--- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -26,6 +26,8 @@ MACHINE_FEATURES += "optee-ftpm"
 MACHINE_FEATURES += "efi"
 MACHINE_FEATURES += "uefi-secureboot"
 
+EFI_PROVIDER = "systemd-boot"
+
 INIT_MANAGER = "systemd"
 DISTRO_FEATURES += "systemd"
 DISTRO_FEATURES_NATIVE += "systemd"
diff --git a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
new file mode 100644
index 00000000..c0753614
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
@@ -0,0 +1,12 @@
+DEPENDS += 'gen-uefi-sb-keys'
+DEPENDS += "sbsigntool-native"
+
+inherit sbsign
+
+SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key"
+SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt"
+SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi"
+
+do_compile:append() {
+    do_sbsign
+}
diff --git a/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
new file mode 100644
index 00000000..caba9830
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)}
\ No newline at end of file

From patchwork Mon Aug 19 19:04:28 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47955
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6FAD2C5320E
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:54 +0000 (UTC)
Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com
 [209.85.219.47])
 by mx.groups.io with SMTP id smtpd.web11.1053.1724094290244566162
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:50 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=uhBdPLig;
 spf=pass (domain: linaro.org, ip: 209.85.219.47,
 mailfrom: javier.tia@linaro.org)
Received: by mail-qv1-f47.google.com with SMTP id
 6a1803df08f44-6bf66fe9d8bso24238826d6.0
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094289; x=1724699089;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=2Sw6qgwfeoRcTz5HRF/e7ri5lXvqhu/5iyjFHNupvjw=;
        b=uhBdPLigHB/uNvn2SZg8Pl7neHyFE97SgHKlyrrIX6dMnM6Bky/qUBmfZiKUAkk6I5
         lA/a1RWQRmeM6vd6hyEmxTsAfUFhYzKW8o5wKKwIRh88ACfzTiRemMiKUa5xOrmk0k/U
         ksC6haOccRfYO2O0dQwUFT2fQkAisOF51deanuvs6tHloIxEj26UyrPSC3+1TQU/IuNK
         7agGaeQMtugh6I968B5oWDEgN0J/rfyVdHhpjNJX57aZOo5rq4hq58yHO4E2MWgOoy7N
         4PaaJ2rB+OeR6cADOHi6dd5F9RtzqaerBDykC237D7M0KRJFQGxG2qHbEbX631CbZZYA
         +Dmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094289; x=1724699089;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=2Sw6qgwfeoRcTz5HRF/e7ri5lXvqhu/5iyjFHNupvjw=;
        b=qsn07xPrFd1dRNFFaScvjg6P1wFRPHjT/pPwICDOSJrxh6Gf8a/KuTUB5iaGDVq072
         jX2AkJnA4y0JjgumW/LigRFo7/0kRaDU6eWeFsAgp4Av5JHFlMtE9/IZpch5ao1NbSg9
         ZvceuCGfwJ6O+a/ja6MUcIVbg2v/HdR7cyN4Htl82PfJw8RHYcPCYewuRBIzE5Yc0ya/
         IRHc0p0YmAA19Bp0fwD0RQRq2snEX3ALFLHf8M/mbFnjD/v0cr2xz3Kq5V9rNFxp/3lM
         IM3mQLi7mAWech9iyiFZUQAAxd4jJUjRpOAUkY+JNDnseHsftYI8XrRo9amVzK3St9hd
         /ZMg==
X-Gm-Message-State: AOJu0YyWRMgCMFi4zlxLsz7nNqnrCybR3lkqd6/MwppSuoQtIH+BsFtF
	uWgLK8BMQFCviqHC8TlD80mfqlUviM80ygQrmPKNdy2T12xgCj5HByajNPmjtpP3DifCmKigdkP
	o
X-Google-Smtp-Source: 
 AGHT+IEeteqhkpxN5ynqyLm0/NkL9SqrT+N6qszSsT2+H9pLi5sI/C3/lm80K9BxeUc6YTH4feCueA==
X-Received: by 2002:a05:6214:2b87:b0:6bf:7a30:f438 with SMTP id
 6a1803df08f44-6bf7ce517cfmr159380276d6.22.1724094289145;
        Mon, 19 Aug 2024 12:04:49 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:48 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 13/14] meta-arm: Add UEFI Secure Boot test
Date: Mon, 19 Aug 2024 13:04:28 -0600
Message-ID: <20240819190429.2897888-14-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:54 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5979

Add a test to verify UEFI Secure Boot is enabled

Run the test:

kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 ci/qemuarm64-secureboot.yml                   |  2 ++
 .../core-image-base-uefi-secureboot.inc       |  6 +++-
 .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++++++
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py

diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
index 958a1ff1..02341934 100644
--- a/ci/qemuarm64-secureboot.yml
+++ b/ci/qemuarm64-secureboot.yml
@@ -11,6 +11,8 @@ local_conf_header:
   optee: |
     IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
     TEST_SUITES:append = " optee ftpm"
+  uefi_secure_boot: |
+    TEST_SUITES:append = " uefi_secure_boot"
 
 machine: qemuarm64-secureboot
 
diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index e5cf7760..ce64b8b5 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -10,4 +10,8 @@ QB_DEFAULT_KERNEL = "none"
 
 KERNEL_IMAGETYPE = "Image"
 
-IMAGE_INSTALL += "systemd systemd-boot"
+IMAGE_INSTALL += "systemd systemd-boot util-linux coreutils efivar"
+
+inherit extrausers
+
+EXTRA_IMAGE_FEATURES += "allow-root-login empty-root-password"
diff --git a/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
new file mode 100644
index 00000000..4a62b54c
--- /dev/null
+++ b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
@@ -0,0 +1,32 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+import os
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.oetimeout import OETimeout
+
+
+class UEFI_SB_TestSuite(OERuntimeTestCase):
+    """
+    Validate Secure Boot is Enabled
+    """
+
+    @OETimeout(1300)
+    def test_uefi_secure_boot(self):
+        # Validate Secure Boot is enabled by checking
+        # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
+        # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
+        # identifier for the Secure Boot UEFI variable. By checking the value of
+        # this variable, specifically
+        # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
+        # whether Secure Boot is enabled or not. This variable is set by the
+        # UEFI firmware to indicate the current Secure Boot state. If the
+        # variable is set to a value of '0x1' (or '1'), it indicates that Secure
+        # Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
+        # it indicates that Secure Boot is disabled.
+        cmd = "efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot"
+        status, output = self.target.run(cmd, timeout=120)
+        self.assertEqual(output, "1", msg="\n".join([cmd, output]))

From patchwork Mon Aug 19 19:04:29 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 47957
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7A933C5321D
	for <webhook@archiver.kernel.org>; Mon, 19 Aug 2024 19:04:54 +0000 (UTC)
Received: from mail-qv1-f48.google.com (mail-qv1-f48.google.com
 [209.85.219.48])
 by mx.groups.io with SMTP id smtpd.web10.1084.1724094291365266873
 for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:51 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=cL2UmSJ+;
 spf=pass (domain: linaro.org, ip: 209.85.219.48,
 mailfrom: javier.tia@linaro.org)
Received: by mail-qv1-f48.google.com with SMTP id
 6a1803df08f44-6bf9db9740aso6859116d6.2
        for <meta-arm@lists.yoctoproject.org>;
 Mon, 19 Aug 2024 12:04:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724094290; x=1724699090;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=pdnG999dm3rF+hIEfVOM/gZrmTIZsPMZ3v3wSlgIkX0=;
        b=cL2UmSJ+tbtiwb9KFyuPttG+H40EL55ZiwzEpon3m7DSrlGfGlmDTJyCiClY81BOW9
         S6X2O4C9TJEQiUo89muz/Ih9s4NLR5g5rEQ+0cffNB62QfbDoBF2CH3c+syUKa6Rbxgb
         xODA8UQg40OxJTbxfmRrHPLYw2pzY/CeZ8WS+lkb/0IbETc8MZAla8guzhYLlqDPN8fi
         oz0TsbYvxHqJb/vrOePEtpkfuRjAdQmnicalBI42Z2bQWVc6gGWdgsj9qjS5TBwagjlq
         upkhf8+L+YzosW09HLlys20yDqpkcY5QDI55zSKK2+ImfwMn8NLFZ0xxgcmii7udDWhy
         Hiuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724094290; x=1724699090;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=pdnG999dm3rF+hIEfVOM/gZrmTIZsPMZ3v3wSlgIkX0=;
        b=OUtoPm9M5cRqV0ZJ53C/uvwbcQZs5ANOaGPpA0T9X9I1qg0SIYYrrJDHTPPiCCyWza
         vUuTEGgyScH6jIcvllpC6940LM5IW0E0IaqpMovOIegqaTpXHx2+96qSZjdg55jqQzIV
         jdlkgnWSc+pKqA4DbHU6ERtF9Zd56Uu88cpMyTnDp7Xw6RI4D9rxoavFeI/RWuSvGuqm
         vZwbkx+rYN/qgpS3avyiEslQlvxjfln0KaIzHYLsCbO8y1LIIr5NxO1ZJVuciMNEMHVu
         56YL6MOAb5P03nbijT1jhAuxgf6ahZg/tQeipQvI9LlcdL/bm3Nw/UXADlJzfvL90H5J
         ZZ3A==
X-Gm-Message-State: AOJu0YyOlPNQ88hzw/l7RIrAtCvaiNk4qOz19lX54GeJ9r+sDRsx8YbL
	wUZTz/aDDXl6GCPv/TOWxb2dVxTB6Sm6Z+lZ2gUkf5IF0yb5SF9rxCtE1EO6OGNt2e/3uv7rqac
	h
X-Google-Smtp-Source: 
 AGHT+IF0qYBgf2WQnHKvp4zWplRoi8vqOpbzqe276m3GTzzesVuPj+deEUGltuqdod5TpAXteLzeFA==
X-Received: by 2002:a05:6214:3f85:b0:6bf:6bf3:9611 with SMTP id
 6a1803df08f44-6bf7ce5f35cmr162091886d6.38.1724094290307;
        Mon, 19 Aug 2024 12:04:50 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([177.93.4.25])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6bf6fe06feasm45371756d6.40.2024.08.19.12.04.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Aug 2024 12:04:49 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v2 14/14] qemuarm64-secureboot.yml: Set branch to scarthgap
Date: Mon, 19 Aug 2024 13:04:29 -0600
Message-ID: <20240819190429.2897888-15-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240819190429.2897888-1-javier.tia@linaro.org>
References: <20240819190429.2897888-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Mon, 19 Aug 2024 19:04:54 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5980

UEFI Secure Boot is broken in master. Set to the latest stable OE
branch.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 ci/qemuarm64-secureboot.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
index 02341934..cadbe874 100644
--- a/ci/qemuarm64-secureboot.yml
+++ b/ci/qemuarm64-secureboot.yml
@@ -1,5 +1,9 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
 
+defaults:
+ repos:
+    branch: scarthgap
+
 header:
   version: 14
   includes: