From patchwork Thu Aug 22 01:43:23 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48071
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 12F9CC52D7C
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:48 +0000 (UTC)
Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com
 [209.85.128.178])
 by mx.groups.io with SMTP id smtpd.web10.4148.1724291024011860288
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:44 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=dntNEo3h;
 spf=pass (domain: linaro.org, ip: 209.85.128.178,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yw1-f178.google.com with SMTP id
 00721157ae682-6c130ffa0adso4089257b3.3
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291023; x=1724895823;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=67YVObMV6SP0FplyibT0H1Uqtfes6/hXjLaUrIj/5iI=;
        b=dntNEo3hYEG7QdRm0C8JPdItp6+e2ZylNxZV1qtqQ5EfJf38xupH8TEgZV85YMtcns
         iIt37v+sMcxupMHMPot+k/3pwXOQLr04U+Z2gCxIypKyQjyojFRScpxS/8Bk29M4Z/qp
         Lkt78s2ROLQgd8b7vPXUxKOGfcmTrtzpUbrwZOy8hWkCg/z0qhvwLw0ddfwF0+OY7wVN
         heBXhp1k49YephaqLPpcIsTYQ7CDBF7Kfshq97/FnzG3Z1OwFCT1qps0dJlzN2TFlfOF
         y5ktXjjb4oqoaKCwMPrIPfFbX9HoqZlzKABUWreOp9dS+YNi7lsvn1tljtNw6U6lhKLD
         /Eyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291023; x=1724895823;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=67YVObMV6SP0FplyibT0H1Uqtfes6/hXjLaUrIj/5iI=;
        b=fIINHTpBpWgwMqYF6q03HgvqHhjmSiikJ/cRvmpg1wpVkK9N96FtVxa4f9+OPYbrug
         IYMV3jyOhGEJjwDOLfbMLqKVZkYUaPReyFLr4sxbsInt4Ui0GDkYZthZ0a0DdNxpVPj8
         KNdZG/FwIknGB5BhB98T14scikCNdQ/XfvubVLnv79zXtAF5kOV0JHNovm+oPeSOxQKf
         4tKPeUwaDZctw6oRGl8vnLBzZB4xJ82z9rSt4MwQoOEQ/PGGWgEEh6lIZG9l2We5kDBW
         dCli0eM6qoTSbgJhQm8UTozI1mPBYGVddS2Ojp+zZbX7E0nE1SW0Ssu+mMu3mEs2olJU
         BORg==
X-Gm-Message-State: AOJu0YzNDxB+dKdl+Qii6NtmKSwZ8Y3dxtukrJcWsb0j0POtg+hZOJ+n
	mz0eLk+eNj4gF4p+kxWDdNCoC9KTibwxsIOIG8q4aWE0eTzYnMD1KQHMRXQBCjHoB/vnn9I+EbO
	g
X-Google-Smtp-Source: 
 AGHT+IHGIzUGRzSqKE+E7cQmbJebb7VAPPUVavIxjFVmHjO9nap2k7RQ3CJgiNIHqowQvecr3x3vIQ==
X-Received: by 2002:a05:690c:428c:b0:632:12b:8315 with SMTP id
 00721157ae682-6c09d8de9f1mr40963697b3.22.1724291023067;
        Wed, 21 Aug 2024 18:43:43 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:42 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 01/13] qemuarm64-secureboot: Introduce uefi-secureboot
 machine feature
Date: Wed, 21 Aug 2024 19:43:23 -0600
Message-ID: <20240822014335.3394568-2-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:48 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5991

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/conf/machine/qemuarm64-secureboot.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
index cfc6ff77..6789b1c6 100644
--- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -25,3 +25,4 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
 
 MACHINE_FEATURES += "optee-ftpm"
+MACHINE_FEATURES += "uefi-secureboot"

From patchwork Thu Aug 22 01:43:24 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48070
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 16877C5321E
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:48 +0000 (UTC)
Received: from mail-yb1-f171.google.com (mail-yb1-f171.google.com
 [209.85.219.171])
 by mx.groups.io with SMTP id smtpd.web11.4037.1724291025269000576
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:45 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=VDVQl8c8;
 spf=pass (domain: linaro.org, ip: 209.85.219.171,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yb1-f171.google.com with SMTP id
 3f1490d57ef6-e02c4983bfaso396755276.2
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291024; x=1724895824;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=O7LQHgRISQHcfF0QLO2liZofRFwc99d3sVsZckNqcRY=;
        b=VDVQl8c8cz5JhIeSAZR7oS0cYxKZ62NogpMOJStI4NqrP0UnmmdvRQlpT5R3jOSp3t
         j+3jU8s8GbfQgDv/g3zqjlVhbHGeX0CcWc3ze+b9OzRDFdVWpm+TJMc30fi3dY9IUxDr
         AAAOsOuDequ1lPxeyCjsA52PI4TL3IZPVTrYZDDPJehNbDlm3vH8dicKh/4yU6th7fT5
         i6yW6ZXG5wi/39TKT93WY2GikX3jkSkzxK6+Sek2XbHzsdpFgkxO/Dx83xyRPjqwx6fD
         lcOgc+AgSvnj9YL9EXBTxRydLbDCEqBJRnKDo1o3nmU9KkgZxD9B/RwALFCL+cEAF5ki
         tE9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291024; x=1724895824;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=O7LQHgRISQHcfF0QLO2liZofRFwc99d3sVsZckNqcRY=;
        b=pW1RfskrWaSocbQgjjHz+aWKscyuELdVnWgOfhh48ElOtr0zUPdidUBNx6Tkp+aPvR
         f8zflRs7h4PG42usZslePfMbTcgUJrkL0CglUIcT2HkbxYeQ6mb1v6OoNVZLZPBcHOiJ
         yzOqFKzYE9xoMWnMKItEhTQE/I6EB/zuzxgqfSiWy77UQoRo8BYRjPb25NUq0QAyuA7E
         9sNb/ifQCNkp7ItycR8hBcrE0OCVMzeGfs/2RldY3xjFd8bTJRScgDe7rhd91EKa78BO
         SfOHYoSQLd390wN+byzFVj7L+uwG6Z5asLPfOuq9HQzzvNP1wgTcM2pUL7jGJW2hfECd
         hrVg==
X-Gm-Message-State: AOJu0Yxn3+1TEaybfrSeG/eV6ZY9CmGlGIlacDxyphdEeoAQzweA4uqn
	bfgoBcw85jnEbGAr7gVzrixRRDou9VobR3VbOwpcsWN2Fw+l2V04Adzl57eCGv1Eih+wvWnoO2e
	m
X-Google-Smtp-Source: 
 AGHT+IFC/P8CpSdx/Hx3d9uUR9WOn6glB6S1jnhkWjyLYJqgg2FPMCKdC1jGbQolaIIAd8VFS03wMg==
X-Received: by 2002:a05:6902:168e:b0:e16:5443:4c1 with SMTP id
 3f1490d57ef6-e16664a50famr5520443276.35.1724291024270;
        Wed, 21 Aug 2024 18:43:44 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.43
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:43 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 02/13] core-image-base: Use UEFI layout disk partitions
Date: Wed, 21 Aug 2024 19:43:24 -0600
Message-ID: <20240822014335.3394568-3-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:48 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5992

- Use efi-disk-no-swap.wks.in disk definition to add expected UEFI disk
  partitions configuration.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../recipes-bsp/images/core-image-base-uefi-secureboot.inc       | 1 +
 meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend         | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
new file mode 100644
index 00000000..351e9030
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -0,0 +1 @@
+WKS_FILE = "efi-disk-no-swap.wks.in"
diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend b/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend
new file mode 100644
index 00000000..1f6dbd24
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'core-image-base-uefi-secureboot.inc', '', d)}
\ No newline at end of file

From patchwork Thu Aug 22 01:43:25 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48072
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 24521C5472C
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:48 +0000 (UTC)
Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com
 [209.85.128.169])
 by mx.groups.io with SMTP id smtpd.web10.4149.1724291026424948214
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:46 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=O54gTqrz;
 spf=pass (domain: linaro.org, ip: 209.85.128.169,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yw1-f169.google.com with SMTP id
 00721157ae682-691c85525ebso3288767b3.0
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291025; x=1724895825;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=i3FMcrxoQMEjfxeuNGxbNN6+IFf/qUnBbfx9yY/tZpY=;
        b=O54gTqrzIqEKk6cFg03H8Txj6ItsFWQcnzQZg1jy6iX+GjgJaHBAHrTc88EkrYx31B
         h+2SQ3H0qfHsOkLRd5ib7ncRpp3i91mNx8zuhv/8Ph9h5z8T/2Mq//uUkT49nkMtQVVl
         g9UAujNCv2pPceSS1z6lQuM0pLrqELqtvKI7nPV65bVhR50bCZdYWqFbLC+kyj44yQGn
         4kHs+BDG84WULBR2gRlSNl1EoLVWI1ZxOUDd5k+3qThWa3VzrCXEhl+WE6fbLKVUQ+PP
         aA5vcImVl3jtnRp0RCBV0FpSDFXRQer0Eq5GgjJW0p/QreH+4vCGtYVaFur/QnFzyGvB
         HqtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291025; x=1724895825;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=i3FMcrxoQMEjfxeuNGxbNN6+IFf/qUnBbfx9yY/tZpY=;
        b=ZbMUifavGCo5JYv6c4L8oY92zPQRbqjl1WrI4t/D/bxtadLdx2o/0IS4Ltv9fHw5m6
         ocGGvNvG+h9glceky5OG0zbwH7a/PaC61maMn3l+9vgpb8jts/rlL/7Fs19KrsODDTRM
         0hP/DBmBrBv86UW4l6aGRpLE19AE1z3tTTXqZ3HFlwRZ9asE47t2Pw7o81Ay4B7hxzwa
         DQFm2aW+NBE4AzMl9GmQzUABA83NnM2haIUvJB4Fv1QDs/8BSf9Z0zw7kFSh64YD3t9c
         Vd5wIME32CMDjjBG2cyiLiWbx36ZZeIp8+nafcCdywqaHEOtGhfnIR4YvKfoOM2TIruz
         PrJQ==
X-Gm-Message-State: AOJu0Yw4sJHblhEbL8odJVkDbD/VzHawlZqp9rtOQx4xf6AW9dAPYUz8
	aymRMKffUArWa4gwEeKsrhttFL6zfvctltJgOIJNNb/utmqDdUsptZ+3LmNS1kFHbHHT+4zA95r
	B
X-Google-Smtp-Source: 
 AGHT+IFzAFyMpyHiNxAUSXyKzirLQUPnuu68Ej4xMFRE6d7kNfcqiT9H21K6yWvNHUfLBurs+libaw==
X-Received: by 2002:a05:690c:6d0e:b0:6b4:3caa:e842 with SMTP id
 00721157ae682-6c09d8dc019mr58659647b3.18.1724291025457;
        Wed, 21 Aug 2024 18:43:45 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:44 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 03/13] layer.conf: Introduce UEFI_SB_KEYS_DIR
Date: Wed, 21 Aug 2024 19:43:25 -0600
Message-ID: <20240822014335.3394568-4-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:48 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5993

UEFI_SB_KEYS_DIR saves UEFI keys path.

To avoid security issues, UEFI keys are not provided and they can be
generated by gen_uefi_keys.sh script.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/conf/layer.conf               |  2 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh

diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf
index 9e9c9dbd..2854dd69 100644
--- a/meta-arm/conf/layer.conf
+++ b/meta-arm/conf/layer.conf
@@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet"
 addpylib ${LAYERDIR}/lib oeqa
 
 WARN_QA:append:layer-meta-arm = " patch-status"
+
+UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"
\ No newline at end of file
diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
new file mode 100755
index 00000000..fc7f25c9
--- /dev/null
+++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
@@ -0,0 +1,35 @@
+#/bin/sh
+
+set -eux
+
+#Create PK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+
+#Create KEK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
+sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+
+#Create DB
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
+
+#Create DBX
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
+
+#Sign image
+#sbsign --key db.key --cert db.crt Image
+
+#Digest image
+#hash-to-efi-sig-list Image db_Image.hash
+#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
+
+#Empty cert for testing
+touch noPK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
+

From patchwork Thu Aug 22 01:43:26 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48073
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 02302C52D6F
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:48 +0000 (UTC)
Received: from mail-yw1-f173.google.com (mail-yw1-f173.google.com
 [209.85.128.173])
 by mx.groups.io with SMTP id smtpd.web11.4038.1724291027511798368
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:47 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=QnAIiiq5;
 spf=pass (domain: linaro.org, ip: 209.85.128.173,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yw1-f173.google.com with SMTP id
 00721157ae682-6b3afc6cd01so11965057b3.1
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291026; x=1724895826;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=SLHu6PRlZnCzW/rU1UEj78mshvoxk7WjoojsTwAZ3/I=;
        b=QnAIiiq5PmOBnxxCWnqm831lYUvQ9a47teDy3oTXV/nPH1pez/6rpt+jNkKV85H4Nq
         vAmXVj/ZsdxGjxKl5TXD73bDoVslJUow3UNWnY64mRwQGN4MRmlmXsnYNdXqTcfbGNw3
         A8TekVQ0YWGyv0nVs6M6+lSIKKMEJQKEAFGH1GWCmNvVZsp9McSutrz8mbhKYZGDHnRy
         h3Jj7g0ApNcZFmb605z5O21yAoJJRz/o0w0rRvQsALQBvmaf2YxtrV+c3DVQCmvUtPJ6
         H+t5+dTmXtGGRb5rULQYQe44TRAPCA8zxXvCX8h1WZ19dn+GnLzVevADmA8RyoMJWqhy
         12Rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291026; x=1724895826;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=SLHu6PRlZnCzW/rU1UEj78mshvoxk7WjoojsTwAZ3/I=;
        b=eoNYAhtu2xcIo0ip42z3Y5jOSL0IQUyu1XooB4TIVEAEL2TLMOPNzTFOAOByLhD0DG
         XLkXlUDvYRmqqX1jStOZVxBN0zHwClxJPAJcRleZKCQfDvfs06vMeeHuj81HngaAw4TB
         X6fZOrciIDQ6GvlvYnc1HaCr/NC8/+ZDDavgnIbarmINqcaGr8tLd+VaAeHcgsRJdf9C
         boW4vJ7fpFlGSmDBwG7e8S0kHAwsnZ4Bo1cLmHpoSdrJ6VlKluh8U0ONeg54Z7fjSUJ0
         ls3z6o/yX/IBSku2/s1agLHMnu/TeLHQ39lffUVr+ZQ8JakGk4u+lmpzXcEttv4Acse9
         vV1g==
X-Gm-Message-State: AOJu0Yw751wgs/fSKdQd4syvAc4PlzLH72ycsgLuBYcnHStz4MmU0Rr0
	SLmDobCMa26kciOxBq3mdyryKCiQvoOx4sJMiQBR4YyjfWzP7xsWqhIewjJ2gMUteRlKoM2duut
	O
X-Google-Smtp-Source: 
 AGHT+IE9OWRI3njPkULq/BdO5og6g6bL9i2OGaWns6ubu9LQvAKaGvvra2IlPxYfKJ9TdAcOfVcEEA==
X-Received: by 2002:a05:690c:f94:b0:66b:c28b:f234 with SMTP id
 00721157ae682-6c306357b9emr15734987b3.21.1724291026533;
        Wed, 21 Aug 2024 18:43:46 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.45
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:46 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 04/13] uefi-sb-keys.bbclass: Add class to validate UEFI
 keys
Date: Wed, 21 Aug 2024 19:43:26 -0600
Message-ID: <20240822014335.3394568-5-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:48 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5994

Without UEFI keys, signing will fail and the OS will not boot.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass

diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass
new file mode 100644
index 00000000..e800b4c6
--- /dev/null
+++ b/meta-arm/classes/uefi-sb-keys.bbclass
@@ -0,0 +1,24 @@
+# Validate UEFI keys
+python __anonymous () {
+    if d.getVar("UEFI_SB_KEYS_DIR", False) is None:
+        raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.")
+
+    # keys used for UEFI secure boot
+    uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR")
+
+    keys_to_check = [
+        uefi_sb_keys + "/PK.esl",
+        uefi_sb_keys + "/KEK.esl",
+        uefi_sb_keys + "/dbx.esl",
+        uefi_sb_keys + "/db.esl",
+        uefi_sb_keys + "/db.key",
+        uefi_sb_keys + "/db.crt",
+    ]
+
+    missing_keys = [f for f in keys_to_check if not os.path.exists(f)]
+
+    if missing_keys:
+        raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), )
+            + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys)
+
+}

From patchwork Thu Aug 22 01:43:27 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48074
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 18DBBC52D6F
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:58 +0000 (UTC)
Received: from mail-yw1-f173.google.com (mail-yw1-f173.google.com
 [209.85.128.173])
 by mx.groups.io with SMTP id smtpd.web10.4150.1724291028705999907
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:48 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=g1dN9+SE;
 spf=pass (domain: linaro.org, ip: 209.85.128.173,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yw1-f173.google.com with SMTP id
 00721157ae682-68d30057ae9so3293077b3.1
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291027; x=1724895827;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=jKeLT5wECjxCPh0q9TVfT28Dr9BXXolYW1ml7VAYpJM=;
        b=g1dN9+SEImPwWexkqCqT4/X6YIMuKwOr61pWmBGH7DAff2/+6PA2vpEouXm/vy7t0a
         IqwrRSB7rkqMGsTG8cKMy8YP9j5wptXM4+FWD2Bw28gwLJqNYFLzX4nrI9H67w9YY5f2
         rvswCB84BdiQy7eSty4mgTrwP2FPKL5yT0crWgRLusySJc4qGpfJ/Wg5cAGMVxTdjeU/
         82mLcG4ZbAm7brIiV5y3W99m0D+yWVvZlQXI4BJfFpGyfRUaDUgXmz14wwrYFHrtyAV3
         GEKmyc9fR7x+FPv7TmYiXGulNRL/aBzWYGEefV/xvJwGPt3MDtK7QqRXlOa0j/GgoR1z
         wHjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291027; x=1724895827;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=jKeLT5wECjxCPh0q9TVfT28Dr9BXXolYW1ml7VAYpJM=;
        b=XCTJKjy5pUs3u/INJB1np4dgEBs9jYW2fSnPoP8T9XTpiEkYgjG2GKPDu1QbxZpFEp
         46272noE9JGn9FWWLc9PmcshFtgwdjVaWorDurCTf4rwtlYjng7IMrtOfeA7dyHNaFlS
         BOm2+dBWSBC6EVwqb0NWfwynrEC/CnTvCKvKFe1BNxYW/H2nA5jN4KU6nZ20QKW1nyFC
         CAeYh5ANVHKHnp65ASdrIsZWrE1g/YLnqTGTAJFuIRXGq0WFyaX84TqA9op/GGHOc6W8
         apDb0NIxgppW7QQtM9xC1pY3qQDUWsxxQZTVvO1Ebq/LGeISrHE6UFlHDIR481OmhUth
         7ijg==
X-Gm-Message-State: AOJu0YxfwWtjo9sd7mrIWaCyvgGBOuj9yM5c8EPSIjkMUcetvY/FhZLf
	JJYxtvo+7S4I+LqD/lqZ94zXP5KbcJeXOBDD82XO+jve9XnFnnSIjB4zjcstxfr85EPf3KNxCuD
	S
X-Google-Smtp-Source: 
 AGHT+IE21Dx7RFcLUpQgu2zmo93kapXCcQ7giJE7sFEJOkvZNnaABEUktMLb7OQ4d6vfA/RRUCMYsw==
X-Received: by 2002:a05:690c:768b:b0:6b0:e813:753b with SMTP id
 00721157ae682-6c3d60b85aemr4020857b3.38.1724291027645;
        Wed, 21 Aug 2024 18:43:47 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:47 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 05/13] sbsign.bbclass: Add class to sign binaries
Date: Wed, 21 Aug 2024 19:43:27 -0600
Message-ID: <20240822014335.3394568-6-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:58 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5995

A lot of recipes are using these same steps to sign binaries
for UEFI secure boot.

Authored-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 meta-arm/classes/sbsign.bbclass

diff --git a/meta-arm/classes/sbsign.bbclass b/meta-arm/classes/sbsign.bbclass
new file mode 100644
index 00000000..a99c0218
--- /dev/null
+++ b/meta-arm/classes/sbsign.bbclass
@@ -0,0 +1,39 @@
+# Sign binaries for UEFI secure boot
+# Usage in recipes:
+#
+# Set key and cert files in recipe or machine/distro config:
+# SBSIGN_KEY = "db.key"
+# SBSIGN_CERT = "db.crt"
+#
+# Set binary to sign per recipe:
+# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign"
+#
+# Then call do_sbsign() in correct stage of the build
+# do_compile:append() {
+#     do_sbsign
+# }
+
+DEPENDS += "sbsigntool-native"
+
+SBSIGN_KEY ?= "db.key"
+SBSIGN_CERT ?= "db.crt"
+SBSIGN_TARGET_BINARY ?= "binary_to_sign"
+
+# makes sure changed keys trigger rebuild/re-signing
+SRC_URI += "\
+    file://${SBSIGN_KEY} \
+    file://${SBSIGN_CERT} \
+"
+
+# not adding as task since recipes may need to sign binaries at different
+# stages. Instead they can call this function when needed by calling this function
+do_sbsign() {
+    bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}"
+    ${STAGING_BINDIR_NATIVE}/sbsign \
+        --key "${UNPACKDIR}/${SBSIGN_KEY}" \
+        --cert "${UNPACKDIR}/${SBSIGN_CERT}" \
+        --output  "${SBSIGN_TARGET_BINARY}.signed" \
+        "${SBSIGN_TARGET_BINARY}"
+    cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned"
+    cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}"
+}
\ No newline at end of file

From patchwork Thu Aug 22 01:43:28 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48077
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 49D7AC5321E
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:58 +0000 (UTC)
Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com
 [209.85.128.179])
 by mx.groups.io with SMTP id smtpd.web11.4039.1724291029752937295
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:49 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=YYweEaUW;
 spf=pass (domain: linaro.org, ip: 209.85.128.179,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yw1-f179.google.com with SMTP id
 00721157ae682-6c130ffa0adso4089787b3.3
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291029; x=1724895829;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=d4QveURaOEPjRXZzrUewBCfHkU+UFxipcUv9I+R+wcQ=;
        b=YYweEaUWZuLeUa8DNuvdoakxJEb6BppDYNrEPN2CRRqpvzEVyHdk1mY4wuNUfZ5cZa
         EthxdJoUV1foI08quvG8gJ3G/SvXfolOP+QoKyBGH0a1Qm8yOqMosj7gf87HgeQViwIr
         Vkp3lgK/l9pFEP8hRzqYsDbdUv6H7ShtcWarTVuA8OhYqkrOMY4WpYYHrjqrit+4GSbB
         iM/aWCqZdVw8iph26ohTKoecr3k+MfHCM4Bkc4BHIdN0V7IHx/ICR9nRcUQjbtWgAQEH
         Op2C4mFRMPT0Vk0cJbHGe9AGxkEn3MUTArX8yktB56pefu9TQRMhy15yAPCIgn5iXLjt
         q/bA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291029; x=1724895829;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=d4QveURaOEPjRXZzrUewBCfHkU+UFxipcUv9I+R+wcQ=;
        b=m7inUFgOZ+s7NDyUYxy8LSkbbcmu73YwL+lO/uDJV/zTeF0Y3M5hsxwIwkKWRc8nHC
         bBGPQiSCCgffxCmOnbCnKwq0KJCqNxXYsjsJbSgapQjYWBeVXQBbwutHt/LNg7++BJve
         mK8BgO158yLMrj+1EW6Il3y5MnJ3G9XxhASPqwOcroIpd9mbDUdYfqXuoxW/VzMxAAxD
         KUkX8snbbuPw3pMHtrVjmzlLQAmSITzOBeTvPSIW/BWQtl2+OjEI/36ot09XD56F+r8/
         tVZCucv7X4yfaCis28oybVBxSiPp1OIA8sbJfYOQUICSuMszXQ2qgPicJBE2nxT9XwTB
         +24g==
X-Gm-Message-State: AOJu0YyII25joWPLuVJM1DU6uCVrlUZimz78yvm6BeLdU2NaoCzKoRNc
	AnUhgCptirnMZE/O/a6N+N3UE1hgDHcUe5kVjacrUU7StOUesXkSFoWFx3+rhHAmE4aYnyJyV/v
	x
X-Google-Smtp-Source: 
 AGHT+IF1s6+yuQFPetnfl7rLSpxY4POrUFPU066x9thNcWb80eojxZbBgX+sUKUJbvhGOkiRiV6ZFQ==
X-Received: by 2002:a05:690c:18:b0:646:25c7:178e with SMTP id
 00721157ae682-6c09c1c02d7mr54286587b3.5.1724291028738;
        Wed, 21 Aug 2024 18:43:48 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:48 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 06/13] core-image-base: Inherit uefi-sb-keys
Date: Wed, 21 Aug 2024 19:43:28 -0600
Message-ID: <20240822014335.3394568-7-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:58 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5996

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../recipes-bsp/images/core-image-base-uefi-secureboot.inc      | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index 351e9030..2232d3b3 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -1 +1,3 @@
+inherit uefi-sb-keys
+
 WKS_FILE = "efi-disk-no-swap.wks.in"

From patchwork Thu Aug 22 01:43:29 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48080
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5844CC5472E
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:58 +0000 (UTC)
Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com
 [209.85.128.178])
 by mx.groups.io with SMTP id smtpd.web10.4151.1724291030773666011
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:50 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=ldKAk7AX;
 spf=pass (domain: linaro.org, ip: 209.85.128.178,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yw1-f178.google.com with SMTP id
 00721157ae682-691c85525ebso3289157b3.0
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291030; x=1724895830;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Y6cnGubIUPfqUNMZsTLbuxSnui3vnRbhrJbBfO5KvAM=;
        b=ldKAk7AX/PKxhm3jqObBZel5WcWw5h8xLr/vYiS5KGUWatl6nqI6u3QhHfK1XcbiD7
         NnVYZKZwFvdNOIzO//aoNau/OIbHCdf9MQsDdcHyCZJI8CIGvq3VpU5GYMp8ETYAQ7eZ
         CNSrlgSn22apYc+c1qPj857IMWPaWOx9cy85ljAs6zjU9wbktv/a3EacYwjmadUFggwo
         u5klUycYZMOcKA3ir6FznPaiNvw9gorS0m3GImH5Cb+G9V3dKFdQYkA9/uP/Fvzs3ZnY
         tphBwTs/9GY/+0l5GZFwiQumejJghbAeD7tT4ubVcdaz1DraHkae1b1jJqGbkfRoW85j
         E5TA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291030; x=1724895830;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Y6cnGubIUPfqUNMZsTLbuxSnui3vnRbhrJbBfO5KvAM=;
        b=XFiEdppac0TGTLSuk6VWtrniV7xBVF90I192it1ODjkakyXPhOljfqaYKM2aTyAl2H
         XNawawGX4oeeq9+yYVw7Qd4TkpD3Tw/PNPvzTh1lCduL9iBeFPTFSY9Fc1UxFtdCc03D
         4jQMvMnI1tH/pFVWtRp20ft55LWQSCQZJRIzuzbo5JSLugGXlJ1ntz6+TPU4Mpu1tiCW
         zEJDxfjNg1l/9W244at/cmwqzcboXsjnhn63Pbw8SB7C0eB+CDOUJJACCXv4+ZIPyoTk
         z+CSZ4Q8yaylYPKwe9o8ZPV8k0jz9Zuax7Sea2zXku7U+sug2RZEHn2VDJPYxxG1vf1l
         Vo5g==
X-Gm-Message-State: AOJu0Yxcybif4XrWlFAHi2CCRrkSupSuFh0mT6V7WiL2D4lfj+yYY2mX
	YmKJejGe9uYIes0IFhW+R+ZgP4oAfhlodUwgtYY9B9FwRa84It354cvVbxcfxE79R+gpIJuEFtw
	C
X-Google-Smtp-Source: 
 AGHT+IHq0gljN/KYAqIMseWn1wb3Qhr/V75BJ1ARanFTKY4yE9oL2G2YC56LFQWeGQBnVYDId/r5vg==
X-Received: by 2002:a05:690c:7087:b0:6be:97e7:ff76 with SMTP id
 00721157ae682-6c09cd4e756mr51306977b3.11.1724291029818;
        Wed, 21 Aug 2024 18:43:49 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:49 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 07/13] meta-arm: Introduce gen-uefi-sb-keys.bb recipe
Date: Wed, 21 Aug 2024 19:43:29 -0600
Message-ID: <20240822014335.3394568-8-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:58 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5997

Generate a new set of keys on build time. It avoids to use same keys
which could generate a security issue.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++
 meta-arm/uefi-sb-keys/.gitignore              |  4 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 56 +++++++++----------
 3 files changed, 57 insertions(+), 29 deletions(-)
 create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
 create mode 100644 meta-arm/uefi-sb-keys/.gitignore

diff --git a/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
new file mode 100644
index 00000000..a4ae6d87
--- /dev/null
+++ b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
@@ -0,0 +1,26 @@
+# SPDX-License-Identifier: MIT
+
+SUMMARY = "Generate UEFI keys for secure boot"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+DEPENDS += "bash-native"
+DEPENDS += "coreutils-native"
+DEPENDS += "efitools-native"
+DEPENDS += "openssl-native"
+
+SRC_URI = "file://${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh"
+
+UNPACKDIR = "${S}"
+
+do_fetch[noexec] = "1"
+do_patch[noexec] = "1"
+do_compile[noexec] = "1"
+do_configure[noexec] = "1"
+
+do_install() {
+    ${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh ${UEFI_SB_KEYS_DIR}
+}
+
+FILES:${PN} = "${UEFI_SB_KEYS_DIR}/*.key"
+FILES:${PN} += "${UEFI_SB_KEYS_DIR}/*.crt"
diff --git a/meta-arm/uefi-sb-keys/.gitignore b/meta-arm/uefi-sb-keys/.gitignore
new file mode 100644
index 00000000..f8669919
--- /dev/null
+++ b/meta-arm/uefi-sb-keys/.gitignore
@@ -0,0 +1,4 @@
+*.auth
+*.crt
+*.esl
+*.key
\ No newline at end of file
diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
index fc7f25c9..21e65c72 100755
--- a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
+++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
@@ -1,35 +1,33 @@
-#/bin/sh
+#!/bin/bash
+#
+# SPDX-License-Identifier: MIT
+#
 
 set -eux
 
-#Create PK
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
-sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+KEYS_PATH=${1:-./}
+SUBJECT="/CN=Linaro_LEDGE/"
+GUID="11111111-2222-3333-4444-123456789abc"
 
-#Create KEK
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
-sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \
+    -keyout "${KEYS_PATH}"/PK.key -out "${KEYS_PATH}"/PK.crt \
+    -nodes -days 3650
+cert-to-efi-sig-list -g ${GUID} \
+    "${KEYS_PATH}"/PK.crt "${KEYS_PATH}"/PK.esl
+sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \
+    "${KEYS_PATH}"/PK "${KEYS_PATH}"/PK.esl "${KEYS_PATH}"/PK.auth
 
-#Create DB
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
-sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
-
-#Create DBX
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
-sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
-
-#Sign image
-#sbsign --key db.key --cert db.crt Image
-
-#Digest image
-#hash-to-efi-sig-list Image db_Image.hash
-#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
-
-#Empty cert for testing
-touch noPK.esl
-sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
+for key in KEK db dbx; do
+    openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \
+        -keyout "${KEYS_PATH}"/${key}.key -out "${KEYS_PATH}"/${key}.crt \
+        -nodes -days 3650
+    cert-to-efi-sig-list -g ${GUID} \
+        "${KEYS_PATH}"/${key}.crt "${KEYS_PATH}"/${key}.esl
+    sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \
+        "${KEYS_PATH}"/${key} "${KEYS_PATH}"/${key}.esl "${KEYS_PATH}"/${key}.auth
+done
 
+# Empty cert for testing
+touch "${KEYS_PATH}"/noPK.esl
+sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \
+    "${KEYS_PATH}"/PK "${KEYS_PATH}"/noPK.esl "${KEYS_PATH}"/noPK.auth

From patchwork Thu Aug 22 01:43:30 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48081
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6A1EAC5472D
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:58 +0000 (UTC)
Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com
 [209.85.128.170])
 by mx.groups.io with SMTP id smtpd.web10.4154.1724291032047436550
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:52 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=gipI6bAZ;
 spf=pass (domain: linaro.org, ip: 209.85.128.170,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yw1-f170.google.com with SMTP id
 00721157ae682-68518bc1407so3738927b3.2
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291031; x=1724895831;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=4i8i4tDl/w+2Hz1m76fbFHZdoBoOcID//NRfTskNKvw=;
        b=gipI6bAZhqsbVnBUCP7FAMO5X+xufmhfdkepr1Npfdb1tSP42i+ITpdcxCvEsuiENA
         dhRn2Pla9H/YB0TeE5ROR3UuAbcgxBUjfH253YNVo2CpVSqrY/F/aPcpHCT69VaSe8wr
         PoQ2cvpI4a+DBgECqrFahs/28PBFR9CxgnbTTnYk/IZFBnEMh4ytTqnA+z3Xiuvj2JTw
         A6ohA9gMrDRRY90Quie98jXeQ1Og/IpZ0Suu5j1eCVxFv1n1Ak4+ubLXjZoOy3FgD2iz
         y+Za6x633mVl4m3lbMNoNva+GuN6wrwIBlRCAzHyGl6tw8C12P8eeY6yzhBV4ZhLc5cT
         A4RA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291031; x=1724895831;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=4i8i4tDl/w+2Hz1m76fbFHZdoBoOcID//NRfTskNKvw=;
        b=gEMnFU4lBtG1mm0l9hcKFiJYDhhnviDRQK2ZF2Avt5VOr4Fu5IdfVg27sCoC5zloJr
         kYvKVpZoWQJ0Ovaw4Q1k+PidbWjQBGp++NPAsebvDA28+zSU9otEYC7VTFFmYq0Ekyec
         +qf8+onJ6+o8FXrv8AyvbIPhPtMBa+9+ODmNih5BbZwlMVQKxF1Tmtx8/J95lak47Mem
         Bt5SqNTN6YnZmZqQd688D+pKH1p3phaeyNXGVbiWPAyOWvPgNp5IDTZwcL+Gbp4M66ex
         0Vn0CqKYpJLp7kioaSdIlO/vY1CgWDNIiuzsnvll10we7LFzaYl2RNntCFv8imEuHTOq
         u1rg==
X-Gm-Message-State: AOJu0YySll6DUOOiv4WJdmGCVjUjx2wTu/HnHLNA+B5dZQcPFxKzOCPJ
	iKm0TpJVNMI6bx3EQEGEOlfic9vxOlDcN+ByY3xS8UHORMO6nvKG2094Mj8VoklvjTQTRFtHUqo
	u
X-Google-Smtp-Source: 
 AGHT+IERBpv9KA5aPLYSKpLN+cMDbmtTUGYoBPOAFSverfy8ZCENdAajSSSKaSflKpitwpxZsd1xVA==
X-Received: by 2002:a05:690c:f10:b0:64b:75d8:5002 with SMTP id
 00721157ae682-6c3d149f64amr4524527b3.9.1724291031048;
        Wed, 21 Aug 2024 18:43:51 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:50 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 08/13] u-boot: Setup UEFI and Secure Boot
Date: Wed, 21 Aug 2024 19:43:30 -0600
Message-ID: <20240822014335.3394568-9-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:58 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5998

Add U-Boot minimal UEFI definitions.

Embedded UEFI variables with the keys previously generated. It's to
enable UEFI Secure Boot and verify the authenticity of the firmware and
operating system.

When U-Boot is built with UEFI support, it includes a set of efivars
that are used to store the Secure Boot variables. These efivars are
embedded in the U-Boot binary and are stored in the flash memory of the
system.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../u-boot/u-boot-qemuarm64-secureboot.inc     | 18 ++++++++++++++++++
 .../u-boot/u-boot/uefi-secureboot.cfg          | 10 ++++++++++
 .../recipes-bsp/u-boot/u-boot_%.bbappend       |  2 +-
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg

diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
new file mode 100644
index 00000000..ffad08e4
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
@@ -0,0 +1,18 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://uefi-secureboot.cfg"
+
+UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm"
+UBOOT_ENV_NAME = "qemu-arm.env"
+
+DEPENDS += 'python3-pyopenssl-native'
+
+do_compile:prepend() {
+    export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
+
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk  -d "${UEFI_SB_KEYS_DIR}"/PK.esl  -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db  -d "${UEFI_SB_KEYS_DIR}"/db.esl  -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file
+    "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
+}
diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
new file mode 100644
index 00000000..d2edb5fb
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
@@ -0,0 +1,10 @@
+CONFIG_CMD_BOOTMENU=y
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="bootmenu"
+CONFIG_USE_PREBOOT=y
+CONFIG_EFI_VAR_BUF_SIZE=65536
+CONFIG_FIT_SIGNATURE=y
+CONFIG_EFI_SECURE_BOOT=y
+CONFIG_EFI_VARIABLES_PRESEED=y
+CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
+CONFIG_PREBOOT_DEFINED=y
\ No newline at end of file
diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
index 11f332ad..ee815b6a 100644
--- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -5,6 +5,6 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc"
 MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc"
 MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc"
 MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc"
+MACHINE_U-BOOT_REQUIRE += "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}"
 
 require ${MACHINE_U-BOOT_REQUIRE}
-

From patchwork Thu Aug 22 01:43:31 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48078
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 36CB7C5321D
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:58 +0000 (UTC)
Received: from mail-yw1-f172.google.com (mail-yw1-f172.google.com
 [209.85.128.172])
 by mx.groups.io with SMTP id smtpd.web11.4040.1724291033154939382
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:53 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=SuX7vzUc;
 spf=pass (domain: linaro.org, ip: 209.85.128.172,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yw1-f172.google.com with SMTP id
 00721157ae682-6b8d96aa4c3so3204737b3.1
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291032; x=1724895832;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=c5+tBxeFbiWkfJkiZMiVStk0WUgY+OMHmCiMHBeRQPM=;
        b=SuX7vzUcx7padaCNgq+b2qFSHbS0lhsNDxHTcOo43n8xDSlue7mpt21i4G7ppc/p+x
         2/Z0/GivD+MMg75xhBTrpZSoC7PPKZ3YiOKa3h8aMOUv5l1mpPsixEO54p4APzIILSUi
         fb0Gn1AIIt8cRM+nWzQejW+TC9/kMwTtZ/nxBKeZjBr8W2chpKLQm9dt6oopE40+C2Sy
         O2fE/TZzaPJ/rBnFdLIdUSeuWe3L9XIdT2GCtxBg187eV2FCbK6Z/jdBHmCC0S+VWX+0
         ewE4kTjnUiadoR3AEfmyuZqeTbuq2ZmNrIFYE1KvQO4rE1kbBMHYaGc8Qo1y0rTkQ0Qu
         Ixog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291032; x=1724895832;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=c5+tBxeFbiWkfJkiZMiVStk0WUgY+OMHmCiMHBeRQPM=;
        b=rP57ZmINazbEvsTQzZwG6ZhhzKpXQBMOXvHjayPhEubEJAZ6LvrZ2xGT3za1Z3i0Gm
         fbzH6B2XsMSo/sHhvqUtzZI0VCFpMxaUUCz9UgWREdaq0aifwn1/HMIOoMHoXfhRPKG+
         JJAu+g2EXaCbWKB3PufRDqJxTqIpWCMk/yhb4e1LoWJbIfbWKgdi8r9bdBBOLZztTW5S
         gRyy1sjyO6n6zcrhaBWumItkryDlwsIv97/cJOpBKoOTe53hqPDu0BnBbQzxtcgp743y
         GWbJfdzBx/i8Vy2CZQ6brdnumQqI7K6QzNaAKZYuJFKXcVM4GisIT09LH4wdjaVybjjb
         kF+Q==
X-Gm-Message-State: AOJu0Yw3SGH91AiGGpbQ75Kg3CML6voRwpbe39FE6WFbMp7OnlzIH81m
	09H9ZMgfdh9Hv8z60nx03j33bwt7eh3pC8ww0Do1LuLi9sfxzhpiyLfOL6EBIGqb39fUia+yCXL
	9
X-Google-Smtp-Source: 
 AGHT+IE9ug0jzwpgVZEpwL1cKdT0A8eNpLtgEOkEZssLvu5gDm1s2yp1BJeMItNB2/9Aiq46UzbafQ==
X-Received: by 2002:a05:690c:e1f:b0:6ad:91df:8fad with SMTP id
 00721157ae682-6c09e65fa77mr56226337b3.26.1724291032110;
        Wed, 21 Aug 2024 18:43:52 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:51 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 09/13] qemuarm64-secureboot: Add meta-secure-core layer as
 dependency
Date: Wed, 21 Aug 2024 19:43:31 -0600
Message-ID: <20240822014335.3394568-10-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:58 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5999

meta-secure-core is required because of sbsigntool.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 ci/qemuarm64-secureboot.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
index b26941e0..958a1ff1 100644
--- a/ci/qemuarm64-secureboot.yml
+++ b/ci/qemuarm64-secureboot.yml
@@ -4,13 +4,15 @@ header:
   version: 14
   includes:
     - ci/base.yml
-
-machine: qemuarm64-secureboot
-
-target:
-  - core-image-base
+    - ci/meta-openembedded.yml
+    - ci/meta-secure-core.yml
 
 local_conf_header:
   optee: |
     IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
     TEST_SUITES:append = " optee ftpm"
+
+machine: qemuarm64-secureboot
+
+target:
+  - core-image-base

From patchwork Thu Aug 22 01:43:32 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48076
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4A0A5C5472C
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:58 +0000 (UTC)
Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com
 [209.85.128.182])
 by mx.groups.io with SMTP id smtpd.web11.4041.1724291034313872862
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:54 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=WkDyJX2R;
 spf=pass (domain: linaro.org, ip: 209.85.128.182,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yw1-f182.google.com with SMTP id
 00721157ae682-690b6cbce11so3392187b3.2
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291033; x=1724895833;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MNiYqaJ6/dp6Rz4Asy2D9hWleJVQzKyC4j+Ug6hTpEI=;
        b=WkDyJX2RYnTqTP+ffmTEXUoeBO5mzjvBk3FtdF6YmrnOD6f9Cp+IoUjNzkxpmKr1Mi
         NuV1I0RORPLKzzZYX5cO136yYoovOxmreN3kIJT6M9VuyrVxTFnJlfUzxRokqVejpqIG
         p2vlS7K5AzPh2aeFH4uOlUwqfDZa+s00QQJyivuJiIMipcBTil2bHRz8J17+p4GhuvG4
         e5cm/Z50igjgBSzg/JleCvrmMN37CnqAjmKSk3fIh8Hcxo2vQcy9QZQpoLFwpI1uv2Mw
         OYQVNvRJOnEOzcrf8zcLFXLzqH2XwrIkK5pQImFolKo4FIkBwTc3Ac9hdfSjz01c8Mdw
         PZ4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291033; x=1724895833;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=MNiYqaJ6/dp6Rz4Asy2D9hWleJVQzKyC4j+Ug6hTpEI=;
        b=XLwXDoGdjyHx1DqONbo3V3UzP97DMYrOh5WNP7HXqARZJrlpyh0PMDO2OySUdzITb4
         IiDKuJip3rj4Clj41Ei0DmsPvRwObJa1r98ANZLlpwR08PcEsF8tJobpy9oumznuSE+g
         oa93lJj+f6MdGnsL/dTIHQcV8bEKb/9E3+/wJeI4EvWSJiyMrKqlEv9wZCtfcom89Le5
         EvLcA0nPGHJ0RsnWzTHLqB92eyDgR0dclkXEbLhxCp75ISeeN2d5cmvpmQo+UjscGByp
         5ZEt88aKN6aazic9qyPc4Z9bB3+iA5xd7K3EGAZqxsEl6LcEELE3CFqT/MRnYM6LjYZm
         4P4Q==
X-Gm-Message-State: AOJu0Yxf89qrXX7yIgI0l0lZ1aiSpnPICOJ0Avm+a6LWC9zI1P9aw3PT
	PtEbDkJpLWHIJnN933BD2MMMHYxMygxfbWfVuhi7065nc/tBo2UKnvBz2QrajU33MoJ6X6IFIlp
	I
X-Google-Smtp-Source: 
 AGHT+IH+/gpoANLQ/c1lekXiFclygZWK3q1+u16Iel0pTRjk5D+lzu8KQUzukfzB86mrZ/o+FCJQkg==
X-Received: by 2002:a05:690c:580f:b0:6c1:2b6d:1964 with SMTP id
 00721157ae682-6c3d5fc1af0mr3113477b3.38.1724291033365;
        Wed, 21 Aug 2024 18:43:53 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:52 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 10/13] linux-yocto: Setup UEFI and sign kernel image
Date: Wed, 21 Aug 2024 19:43:32 -0600
Message-ID: <20240822014335.3394568-11-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:58 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6000

efivarfs kernel module is required to access EFI vars.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../core-image-base-uefi-secureboot.inc       |  8 ++++++++
 .../linux/linux-yocto%.bbappend               |  2 ++
 .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index 2232d3b3..06046f6e 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -1,3 +1,11 @@
 inherit uefi-sb-keys
 
 WKS_FILE = "efi-disk-no-swap.wks.in"
+
+# Detected by passing kernel parameter
+QB_KERNEL_ROOT = ""
+
+# kernel is in the image, should not be loaded separately
+QB_DEFAULT_KERNEL = "none"
+
+KERNEL_IMAGETYPE = "Image"
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
index a287d0e1..29c21355 100644
--- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
@@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \
 
 FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
 require ${FFA_TRANSPORT_INCLUDE}
+
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
\ No newline at end of file
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
new file mode 100644
index 00000000..cb62fdee
--- /dev/null
+++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
@@ -0,0 +1,19 @@
+KERNEL_FEATURES += "cfg/efi-ext.scc"
+
+DEPENDS += 'gen-uefi-sb-keys'
+
+inherit sbsign
+
+SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key"
+SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt"
+
+# shell variable set inside do_compile task
+SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE"
+
+do_compile:append() {
+    KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit)
+    do_sbsign
+}
+
+RRECOMMENDS:${PN} += "kernel-module-efivarfs"
+RRECOMMENDS:${PN} += "kernel-module-efivars"

From patchwork Thu Aug 22 01:43:33 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48079
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 580D9C54722
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:58 +0000 (UTC)
Received: from mail-yw1-f181.google.com (mail-yw1-f181.google.com
 [209.85.128.181])
 by mx.groups.io with SMTP id smtpd.web11.4043.1724291035653159090
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:55 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=yl2Xi5nD;
 spf=pass (domain: linaro.org, ip: 209.85.128.181,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yw1-f181.google.com with SMTP id
 00721157ae682-690e9001e01so3385857b3.3
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291034; x=1724895834;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=h78nR8U3XGeppnR8tMm/5NKKjqRIM74r32yU07YeEzU=;
        b=yl2Xi5nDRDiLsA6a2JO06qBD+Pe37U6ZiDZYfwrBMeyUGghtFZECKlsAEq4L+xU80Y
         6w8YqqS+EMlpeRE+N2R+A/lPUk2cBj/kRlUD1K6zQBPeUy9PgusI1mxBN+U+QIN7JP2A
         wAbadNP0Lnw+1cdwoc39rUZCSgd0VUNQJn8MU1km4wiA+vraOdEiNDyySG/if303cLyb
         7n94FwpmaLE5QwSyI16CMAJbB6KS6ifcIcxA16NBUSLFF2X9AsWwKBOugkDI9sat4lop
         WBCWvFEGTwNXaWXPWBgtGhXJ3lRxeNDWj0L8ZaoDtIzXhnb1DTMhYNZNSXg+bfELsNiK
         f/og==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291034; x=1724895834;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=h78nR8U3XGeppnR8tMm/5NKKjqRIM74r32yU07YeEzU=;
        b=Z6Xfq+aJ6pER6+mqFKmw/TDPMwPchv/syML/C6ATKAL+3d07dFUuFtSYAGcufHOJ+j
         Fg2eK6fJ2TLSFLQ83DDuT2Bk8PYBBwADhid/Btr7WhewvPn73U9jckSDqSt6HsjVsT7q
         AafxekYoUJAL7XW8BxrxSFnk5LDZNqwaylMOl2Obz6GREbxqGT4hOMNFt5k6zrye7X6Z
         fQJUu04PP9nr2US52+oQ4qdNsVa70SLugKkSv0q9tHd9kxwq3ugmnoPLDMy2Q5YyQuvg
         rR26PPDrmoq+wjapNGVQfAEe6R5AYQFmlIM9Zkv4y0RCLti6Jm062wM3i8AdL6pILqq0
         Wgfg==
X-Gm-Message-State: AOJu0Yz5EqTeT5IWbHKKp7C5s6BXUbxBMI6RfOw5w4QNMZJlfYSK/As8
	KH0+4tofFUFJEZV/JnHySN1lPLoV5X5jR7jQc3tyw2S790NcvYfysJ8oIBQN/195Q+f5HCTi4x1
	x
X-Google-Smtp-Source: 
 AGHT+IHgsXgZFUto1mCj2Zby5wcloL2ledbHipIMDUpRPg9mMk46JaUBaOmuo3NHyV7R1ZVWNWlL+g==
X-Received: by 2002:a05:690c:418f:b0:65f:9451:13dd with SMTP id
 00721157ae682-6c3d62a3d7cmr3295437b3.42.1724291034555;
        Wed, 21 Aug 2024 18:43:54 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.53
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:54 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 11/13] systemd: Add UEFI support
Date: Wed, 21 Aug 2024 19:43:33 -0600
Message-ID: <20240822014335.3394568-12-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:58 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6001

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../recipes-bsp/images/core-image-base-uefi-secureboot.inc   | 2 ++
 meta-arm/conf/machine/qemuarm64-secureboot.conf              | 5 +++++
 meta-arm/recipes-core/systemd/systemd-efi.inc                | 1 +
 meta-arm/recipes-core/systemd/systemd_%.bbappend             | 1 +
 4 files changed, 9 insertions(+)
 create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index 06046f6e..07e315a3 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -9,3 +9,5 @@ QB_KERNEL_ROOT = ""
 QB_DEFAULT_KERNEL = "none"
 
 KERNEL_IMAGETYPE = "Image"
+
+IMAGE_INSTALL += "systemd"
diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
index 6789b1c6..d6a7e22b 100644
--- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -25,4 +25,9 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
 
 MACHINE_FEATURES += "optee-ftpm"
+MACHINE_FEATURES += "efi"
 MACHINE_FEATURES += "uefi-secureboot"
+
+INIT_MANAGER = "systemd"
+DISTRO_FEATURES += "systemd"
+DISTRO_FEATURES_NATIVE += "systemd"
diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc
new file mode 100644
index 00000000..5572e51a
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd-efi.inc
@@ -0,0 +1 @@
+PACKAGECONFIG:append = " efi"
diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend
new file mode 100644
index 00000000..660358c2
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)}

From patchwork Thu Aug 22 01:43:34 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48075
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 18ECFC52D7C
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:58 +0000 (UTC)
Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com
 [209.85.128.178])
 by mx.groups.io with SMTP id smtpd.web11.4044.1724291036695156983
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:56 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=rblwELXs;
 spf=pass (domain: linaro.org, ip: 209.85.128.178,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yw1-f178.google.com with SMTP id
 00721157ae682-6bd3407a12aso3405237b3.3
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291036; x=1724895836;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=uZyqnpDgh+apJec1H7CpeIJ27iw+lfaisWYZY4N7CEI=;
        b=rblwELXs0Ru1aOryXTbFjp5ERD3S3rpD9pe9hYGsW7+fIDRCP3QjFEdCQ3NUQdm6Zj
         pPr5xKJpihfU7wAMprm9NqtjikIu0S2yHC24sv693sf+sfEpx/zW21QT7/rkCabA42Ty
         6H6jZ97OpjX/YNgkgcjtNCkH/8xg3DeEPEvF40IpuCR9+1Fqspm1mfWM/rre0YjIcoTE
         rvx8B00DxWljkufR5DOBefZ3t+VorabogNdYcIrYRxxzPff2kySTloUzY+hIAGP32VJQ
         my/ykC9m5dPJS+psHJ6TzzO/GRuD0ZX311fqQMGMYKFw84QeCVVgmxnMYr+fO5d93X0k
         GF0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291036; x=1724895836;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=uZyqnpDgh+apJec1H7CpeIJ27iw+lfaisWYZY4N7CEI=;
        b=OFQYxg9toU1lCXUVOd6i4distzubXe//UaEYiGWRVmM0KKb7sohY108R5e73xtIp+p
         +rEhh0cDyzEZi+YT2siZzl8yHKAn6vInxLx+98Ivgp8IxwaBDE7mbE0+W15E+HtAG/nc
         wH7Fp07WbpFBjhzh1HedP6aBe/QCTg8UbRFUaNKSDNnonvyxvu9TDWUyCr1N6VczY8fQ
         FjaYOf17YGFZOWVd5XcwpVUYwdXEUSJcMVRhQArENPyc5NWcOi8qUVYXhU2xOpnzE2Jc
         xvQakBR7P/Tl6UeUyi059hJmmxqAElu+Dg4eqqGyCbbA8pn6PORhuCZy/BnMe7sZ4a99
         /AjQ==
X-Gm-Message-State: AOJu0Yz4m8SMyYxd4VCE6IgBJbnoP32klzmCSQ5GedrbadCjlXtBY7U+
	r3SyOREg/QJNJlc9EUmhPDGvYQ/VROGOVr9tqQXDGe4YwcsPHbqdIEk1cEBjsr5cL5HwU20Bf+R
	N
X-Google-Smtp-Source: 
 AGHT+IHmnHin5abAWBFIqQx63bHJamo/DHlrwgZ3bz+zGv8SyzuwvGLCW7OPY0tWU+nLAzGfgvJkkg==
X-Received: by 2002:a05:690c:5241:b0:6ad:deef:4abc with SMTP id
 00721157ae682-6c3d561ae6emr3275817b3.36.1724291035652;
        Wed, 21 Aug 2024 18:43:55 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:55 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 12/13] systemd-boot: Use it as bootloader & sign UEFI image
Date: Wed, 21 Aug 2024 19:43:34 -0600
Message-ID: <20240822014335.3394568-13-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:58 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6002

As qemuarm64-secureboot is already using systemd as Init manager, use
too systemd-boot as bootloader. It has a simpler and more intuitive
configuration format compared to grub. It uses a single configuration
file that is easy to understand and modify.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../images/core-image-base-uefi-secureboot.inc       |  2 +-
 meta-arm-bsp/wic/efi-disk-no-swap.wks.in             |  2 +-
 meta-arm/conf/machine/qemuarm64-secureboot.conf      |  2 ++
 .../systemd/systemd-boot-uefi-secureboot.inc         | 12 ++++++++++++
 .../recipes-core/systemd/systemd-boot_%.bbappend     |  1 +
 5 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index 07e315a3..e5cf7760 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -10,4 +10,4 @@ QB_DEFAULT_KERNEL = "none"
 
 KERNEL_IMAGETYPE = "Image"
 
-IMAGE_INSTALL += "systemd"
+IMAGE_INSTALL += "systemd systemd-boot"
diff --git a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in
index 6ae7ad9d..6d77d3aa 100644
--- a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in
+++ b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in
@@ -7,4 +7,4 @@ part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label
 
 part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --exclude-path boot/
 
-bootloader --ptable gpt --timeout=1 --append="${GRUB_LINUX_APPEND}"
+bootloader --ptable gpt --timeout=5 --append="${LINUX_KERNEL_ARGS}"
diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
index d6a7e22b..2f40d360 100644
--- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -28,6 +28,8 @@ MACHINE_FEATURES += "optee-ftpm"
 MACHINE_FEATURES += "efi"
 MACHINE_FEATURES += "uefi-secureboot"
 
+EFI_PROVIDER = "systemd-boot"
+
 INIT_MANAGER = "systemd"
 DISTRO_FEATURES += "systemd"
 DISTRO_FEATURES_NATIVE += "systemd"
diff --git a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
new file mode 100644
index 00000000..c0753614
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
@@ -0,0 +1,12 @@
+DEPENDS += 'gen-uefi-sb-keys'
+DEPENDS += "sbsigntool-native"
+
+inherit sbsign
+
+SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key"
+SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt"
+SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi"
+
+do_compile:append() {
+    do_sbsign
+}
diff --git a/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
new file mode 100644
index 00000000..caba9830
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)}
\ No newline at end of file

From patchwork Thu Aug 22 01:43:35 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Javier Tia <javier.tia@linaro.org>
X-Patchwork-Id: 48082
Return-Path: <javier.tia@linaro.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6A7A8C54730
	for <webhook@archiver.kernel.org>; Thu, 22 Aug 2024 01:43:58 +0000 (UTC)
Received: from mail-yw1-f176.google.com (mail-yw1-f176.google.com
 [209.85.128.176])
 by mx.groups.io with SMTP id smtpd.web10.4157.1724291037964108699
 for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:58 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=aHXlwSls;
 spf=pass (domain: linaro.org, ip: 209.85.128.176,
 mailfrom: javier.tia@linaro.org)
Received: by mail-yw1-f176.google.com with SMTP id
 00721157ae682-6c0e22218d0so4363807b3.0
        for <meta-arm@lists.yoctoproject.org>;
 Wed, 21 Aug 2024 18:43:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1724291037; x=1724895837;
 darn=lists.yoctoproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=2Sw6qgwfeoRcTz5HRF/e7ri5lXvqhu/5iyjFHNupvjw=;
        b=aHXlwSls4f/6VGyyUNCbv17SgWiuC/zUoasJjHYR7CrA5BDZWeI7YPaGQn2tKFmVSB
         jravTonZL7uHvRh+DRg5JkBNwixrYoHXOviE72SaA91nM8QcXoioElTLVso/vRq6huOb
         jKBIJUPZJhnFESTFG6so50mtljRWEAT98azE8ILb+LVRxFQeNaM/82uNnZgQEXhYG6b8
         IzmCIc+4t6ymUI/RcS5fdnS8a5ldQlhkEK8R1Of/ZA/7CIt/bKukDmYH4z0eHb2oRR78
         cq4A3H/RMth9nHE7pMDYQbFhYO2ONFYi0W5DYvF+rsigwWtjLUcdaDW0tKaGKsh6hH9i
         m9sA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724291037; x=1724895837;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=2Sw6qgwfeoRcTz5HRF/e7ri5lXvqhu/5iyjFHNupvjw=;
        b=wYzAJtpp2Zs0cIG7VV+Jo6E+ayvIr2OO/2nFmL9lrF3HDbzxS7TwmoHVRieVD24TFk
         g86R8bGgTvYYlbbIFybBEacVXEa2evmwna/64vD+RWVYx1krakjFmTC0EFii7dCR+11Q
         pG2Jgor2XGoIawcvOh4fG3ME/yjFX9eZQWFM5XqCxPjKS+LsLUq21rhOfy5l1ahYp2Gr
         v9QEMId3PaeguJYG99C0QBI7qBWWEKmwpTEmlJ3kmYDyAy+QTawA8b9k6XFMbpHMJUem
         1leuKlUbcJPZ89ByQMJR0PCT/18SEkacU9xhwAzNVFb+7cXw+pQE92EydqQN1fNXd6Kc
         AivQ==
X-Gm-Message-State: AOJu0YxED8JUlC3nc4u15bcA43PvnsSlx3c6+ZGu4boksF+JhT5I735+
	x6hNr11qtRngegntwrU9s/D0reiCcb0Ut0Bo0mKOaXImzSw64a7E6LRx0pZTMqg7O9YrCJ6TRJy
	k
X-Google-Smtp-Source: 
 AGHT+IHG39C9fVSOgxui66mxzIuMRERVEIUxSa+StlzHQfi015+h8zoIvIE+p8QvrfTvaPAnkgkQpA==
X-Received: by 2002:a05:690c:6305:b0:648:bca0:1e71 with SMTP id
 00721157ae682-6c3d542f438mr4655827b3.35.1724291036855;
        Wed, 21 Aug 2024 18:43:56 -0700 (PDT)
Received: from jetm-rog-x670e-gene.lan ([170.246.157.153])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 21 Aug 2024 18:43:56 -0700 (PDT)
From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v3 13/13] meta-arm: Add UEFI Secure Boot test
Date: Wed, 21 Aug 2024 19:43:35 -0600
Message-ID: <20240822014335.3394568-14-javier.tia@linaro.org>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org>
References: <20240822014335.3394568-1-javier.tia@linaro.org>
MIME-Version: 1.0
List-Id: <meta-arm.lists.yoctoproject.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <meta-arm@lists.yoctoproject.org>; Thu, 22 Aug 2024 01:43:58 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6003

Add a test to verify UEFI Secure Boot is enabled

Run the test:

kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 ci/qemuarm64-secureboot.yml                   |  2 ++
 .../core-image-base-uefi-secureboot.inc       |  6 +++-
 .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++++++
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py

diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
index 958a1ff1..02341934 100644
--- a/ci/qemuarm64-secureboot.yml
+++ b/ci/qemuarm64-secureboot.yml
@@ -11,6 +11,8 @@ local_conf_header:
   optee: |
     IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
     TEST_SUITES:append = " optee ftpm"
+  uefi_secure_boot: |
+    TEST_SUITES:append = " uefi_secure_boot"
 
 machine: qemuarm64-secureboot
 
diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index e5cf7760..ce64b8b5 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -10,4 +10,8 @@ QB_DEFAULT_KERNEL = "none"
 
 KERNEL_IMAGETYPE = "Image"
 
-IMAGE_INSTALL += "systemd systemd-boot"
+IMAGE_INSTALL += "systemd systemd-boot util-linux coreutils efivar"
+
+inherit extrausers
+
+EXTRA_IMAGE_FEATURES += "allow-root-login empty-root-password"
diff --git a/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
new file mode 100644
index 00000000..4a62b54c
--- /dev/null
+++ b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
@@ -0,0 +1,32 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+import os
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.oetimeout import OETimeout
+
+
+class UEFI_SB_TestSuite(OERuntimeTestCase):
+    """
+    Validate Secure Boot is Enabled
+    """
+
+    @OETimeout(1300)
+    def test_uefi_secure_boot(self):
+        # Validate Secure Boot is enabled by checking
+        # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
+        # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
+        # identifier for the Secure Boot UEFI variable. By checking the value of
+        # this variable, specifically
+        # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
+        # whether Secure Boot is enabled or not. This variable is set by the
+        # UEFI firmware to indicate the current Secure Boot state. If the
+        # variable is set to a value of '0x1' (or '1'), it indicates that Secure
+        # Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
+        # it indicates that Secure Boot is disabled.
+        cmd = "efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot"
+        status, output = self.target.run(cmd, timeout=120)
+        self.assertEqual(output, "1", msg="\n".join([cmd, output]))