From patchwork Thu Aug 22 01:43:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48071 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12F9CC52D7C for ; Thu, 22 Aug 2024 01:43:48 +0000 (UTC) Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com [209.85.128.178]) by mx.groups.io with SMTP id smtpd.web10.4148.1724291024011860288 for ; Wed, 21 Aug 2024 18:43:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=dntNEo3h; spf=pass (domain: linaro.org, ip: 209.85.128.178, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f178.google.com with SMTP id 00721157ae682-6c130ffa0adso4089257b3.3 for ; Wed, 21 Aug 2024 18:43:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291023; x=1724895823; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=67YVObMV6SP0FplyibT0H1Uqtfes6/hXjLaUrIj/5iI=; b=dntNEo3hYEG7QdRm0C8JPdItp6+e2ZylNxZV1qtqQ5EfJf38xupH8TEgZV85YMtcns iIt37v+sMcxupMHMPot+k/3pwXOQLr04U+Z2gCxIypKyQjyojFRScpxS/8Bk29M4Z/qp Lkt78s2ROLQgd8b7vPXUxKOGfcmTrtzpUbrwZOy8hWkCg/z0qhvwLw0ddfwF0+OY7wVN heBXhp1k49YephaqLPpcIsTYQ7CDBF7Kfshq97/FnzG3Z1OwFCT1qps0dJlzN2TFlfOF y5ktXjjb4oqoaKCwMPrIPfFbX9HoqZlzKABUWreOp9dS+YNi7lsvn1tljtNw6U6lhKLD /Eyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291023; x=1724895823; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=67YVObMV6SP0FplyibT0H1Uqtfes6/hXjLaUrIj/5iI=; b=fIINHTpBpWgwMqYF6q03HgvqHhjmSiikJ/cRvmpg1wpVkK9N96FtVxa4f9+OPYbrug IYMV3jyOhGEJjwDOLfbMLqKVZkYUaPReyFLr4sxbsInt4Ui0GDkYZthZ0a0DdNxpVPj8 KNdZG/FwIknGB5BhB98T14scikCNdQ/XfvubVLnv79zXtAF5kOV0JHNovm+oPeSOxQKf 4tKPeUwaDZctw6oRGl8vnLBzZB4xJ82z9rSt4MwQoOEQ/PGGWgEEh6lIZG9l2We5kDBW dCli0eM6qoTSbgJhQm8UTozI1mPBYGVddS2Ojp+zZbX7E0nE1SW0Ssu+mMu3mEs2olJU BORg== X-Gm-Message-State: AOJu0YzNDxB+dKdl+Qii6NtmKSwZ8Y3dxtukrJcWsb0j0POtg+hZOJ+n mz0eLk+eNj4gF4p+kxWDdNCoC9KTibwxsIOIG8q4aWE0eTzYnMD1KQHMRXQBCjHoB/vnn9I+EbO g X-Google-Smtp-Source: AGHT+IHGIzUGRzSqKE+E7cQmbJebb7VAPPUVavIxjFVmHjO9nap2k7RQ3CJgiNIHqowQvecr3x3vIQ== X-Received: by 2002:a05:690c:428c:b0:632:12b:8315 with SMTP id 00721157ae682-6c09d8de9f1mr40963697b3.22.1724291023067; Wed, 21 Aug 2024 18:43:43 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:42 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 01/13] qemuarm64-secureboot: Introduce uefi-secureboot machine feature Date: Wed, 21 Aug 2024 19:43:23 -0600 Message-ID: <20240822014335.3394568-2-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:48 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5991 Signed-off-by: Javier Tia --- meta-arm/conf/machine/qemuarm64-secureboot.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf index cfc6ff77..6789b1c6 100644 --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -25,3 +25,4 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" MACHINE_FEATURES += "optee-ftpm" +MACHINE_FEATURES += "uefi-secureboot" From patchwork Thu Aug 22 01:43:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48070 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16877C5321E for ; Thu, 22 Aug 2024 01:43:48 +0000 (UTC) Received: from mail-yb1-f171.google.com (mail-yb1-f171.google.com [209.85.219.171]) by mx.groups.io with SMTP id smtpd.web11.4037.1724291025269000576 for ; Wed, 21 Aug 2024 18:43:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=VDVQl8c8; spf=pass (domain: linaro.org, ip: 209.85.219.171, mailfrom: javier.tia@linaro.org) Received: by mail-yb1-f171.google.com with SMTP id 3f1490d57ef6-e02c4983bfaso396755276.2 for ; Wed, 21 Aug 2024 18:43:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291024; x=1724895824; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=O7LQHgRISQHcfF0QLO2liZofRFwc99d3sVsZckNqcRY=; b=VDVQl8c8cz5JhIeSAZR7oS0cYxKZ62NogpMOJStI4NqrP0UnmmdvRQlpT5R3jOSp3t j+3jU8s8GbfQgDv/g3zqjlVhbHGeX0CcWc3ze+b9OzRDFdVWpm+TJMc30fi3dY9IUxDr AAAOsOuDequ1lPxeyCjsA52PI4TL3IZPVTrYZDDPJehNbDlm3vH8dicKh/4yU6th7fT5 i6yW6ZXG5wi/39TKT93WY2GikX3jkSkzxK6+Sek2XbHzsdpFgkxO/Dx83xyRPjqwx6fD lcOgc+AgSvnj9YL9EXBTxRydLbDCEqBJRnKDo1o3nmU9KkgZxD9B/RwALFCL+cEAF5ki tE9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291024; x=1724895824; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=O7LQHgRISQHcfF0QLO2liZofRFwc99d3sVsZckNqcRY=; b=pW1RfskrWaSocbQgjjHz+aWKscyuELdVnWgOfhh48ElOtr0zUPdidUBNx6Tkp+aPvR f8zflRs7h4PG42usZslePfMbTcgUJrkL0CglUIcT2HkbxYeQ6mb1v6OoNVZLZPBcHOiJ yzOqFKzYE9xoMWnMKItEhTQE/I6EB/zuzxgqfSiWy77UQoRo8BYRjPb25NUq0QAyuA7E 9sNb/ifQCNkp7ItycR8hBcrE0OCVMzeGfs/2RldY3xjFd8bTJRScgDe7rhd91EKa78BO SfOHYoSQLd390wN+byzFVj7L+uwG6Z5asLPfOuq9HQzzvNP1wgTcM2pUL7jGJW2hfECd hrVg== X-Gm-Message-State: AOJu0Yxn3+1TEaybfrSeG/eV6ZY9CmGlGIlacDxyphdEeoAQzweA4uqn bfgoBcw85jnEbGAr7gVzrixRRDou9VobR3VbOwpcsWN2Fw+l2V04Adzl57eCGv1Eih+wvWnoO2e m X-Google-Smtp-Source: AGHT+IFC/P8CpSdx/Hx3d9uUR9WOn6glB6S1jnhkWjyLYJqgg2FPMCKdC1jGbQolaIIAd8VFS03wMg== X-Received: by 2002:a05:6902:168e:b0:e16:5443:4c1 with SMTP id 3f1490d57ef6-e16664a50famr5520443276.35.1724291024270; Wed, 21 Aug 2024 18:43:44 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:43 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 02/13] core-image-base: Use UEFI layout disk partitions Date: Wed, 21 Aug 2024 19:43:24 -0600 Message-ID: <20240822014335.3394568-3-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:48 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5992 - Use efi-disk-no-swap.wks.in disk definition to add expected UEFI disk partitions configuration. Signed-off-by: Javier Tia --- .../recipes-bsp/images/core-image-base-uefi-secureboot.inc | 1 + meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend | 1 + 2 files changed, 2 insertions(+) create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc new file mode 100644 index 00000000..351e9030 --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -0,0 +1 @@ +WKS_FILE = "efi-disk-no-swap.wks.in" diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend b/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend new file mode 100644 index 00000000..1f6dbd24 --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'core-image-base-uefi-secureboot.inc', '', d)} \ No newline at end of file From patchwork Thu Aug 22 01:43:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48072 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 24521C5472C for ; Thu, 22 Aug 2024 01:43:48 +0000 (UTC) Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) by mx.groups.io with SMTP id smtpd.web10.4149.1724291026424948214 for ; Wed, 21 Aug 2024 18:43:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=O54gTqrz; spf=pass (domain: linaro.org, ip: 209.85.128.169, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-691c85525ebso3288767b3.0 for ; Wed, 21 Aug 2024 18:43:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291025; x=1724895825; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=i3FMcrxoQMEjfxeuNGxbNN6+IFf/qUnBbfx9yY/tZpY=; b=O54gTqrzIqEKk6cFg03H8Txj6ItsFWQcnzQZg1jy6iX+GjgJaHBAHrTc88EkrYx31B h+2SQ3H0qfHsOkLRd5ib7ncRpp3i91mNx8zuhv/8Ph9h5z8T/2Mq//uUkT49nkMtQVVl g9UAujNCv2pPceSS1z6lQuM0pLrqELqtvKI7nPV65bVhR50bCZdYWqFbLC+kyj44yQGn 4kHs+BDG84WULBR2gRlSNl1EoLVWI1ZxOUDd5k+3qThWa3VzrCXEhl+WE6fbLKVUQ+PP aA5vcImVl3jtnRp0RCBV0FpSDFXRQer0Eq5GgjJW0p/QreH+4vCGtYVaFur/QnFzyGvB HqtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291025; x=1724895825; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=i3FMcrxoQMEjfxeuNGxbNN6+IFf/qUnBbfx9yY/tZpY=; b=ZbMUifavGCo5JYv6c4L8oY92zPQRbqjl1WrI4t/D/bxtadLdx2o/0IS4Ltv9fHw5m6 ocGGvNvG+h9glceky5OG0zbwH7a/PaC61maMn3l+9vgpb8jts/rlL/7Fs19KrsODDTRM 0hP/DBmBrBv86UW4l6aGRpLE19AE1z3tTTXqZ3HFlwRZ9asE47t2Pw7o81Ay4B7hxzwa DQFm2aW+NBE4AzMl9GmQzUABA83NnM2haIUvJB4Fv1QDs/8BSf9Z0zw7kFSh64YD3t9c Vd5wIME32CMDjjBG2cyiLiWbx36ZZeIp8+nafcCdywqaHEOtGhfnIR4YvKfoOM2TIruz PrJQ== X-Gm-Message-State: AOJu0Yw4sJHblhEbL8odJVkDbD/VzHawlZqp9rtOQx4xf6AW9dAPYUz8 aymRMKffUArWa4gwEeKsrhttFL6zfvctltJgOIJNNb/utmqDdUsptZ+3LmNS1kFHbHHT+4zA95r B X-Google-Smtp-Source: AGHT+IFzAFyMpyHiNxAUSXyKzirLQUPnuu68Ej4xMFRE6d7kNfcqiT9H21K6yWvNHUfLBurs+libaw== X-Received: by 2002:a05:690c:6d0e:b0:6b4:3caa:e842 with SMTP id 00721157ae682-6c09d8dc019mr58659647b3.18.1724291025457; Wed, 21 Aug 2024 18:43:45 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:44 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 03/13] layer.conf: Introduce UEFI_SB_KEYS_DIR Date: Wed, 21 Aug 2024 19:43:25 -0600 Message-ID: <20240822014335.3394568-4-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:48 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5993 UEFI_SB_KEYS_DIR saves UEFI keys path. To avoid security issues, UEFI keys are not provided and they can be generated by gen_uefi_keys.sh script. Signed-off-by: Javier Tia --- meta-arm/conf/layer.conf | 2 ++ meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf index 9e9c9dbd..2854dd69 100644 --- a/meta-arm/conf/layer.conf +++ b/meta-arm/conf/layer.conf @@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet" addpylib ${LAYERDIR}/lib oeqa WARN_QA:append:layer-meta-arm = " patch-status" + +UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys" \ No newline at end of file diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh new file mode 100755 index 00000000..fc7f25c9 --- /dev/null +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh @@ -0,0 +1,35 @@ +#/bin/sh + +set -eux + +#Create PK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth + +#Create KEK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth + +#Create DB +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth + +#Create DBX +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl +sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth + +#Sign image +#sbsign --key db.key --cert db.crt Image + +#Digest image +#hash-to-efi-sig-list Image db_Image.hash +#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth + +#Empty cert for testing +touch noPK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth + From patchwork Thu Aug 22 01:43:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48073 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02302C52D6F for ; Thu, 22 Aug 2024 01:43:48 +0000 (UTC) Received: from mail-yw1-f173.google.com (mail-yw1-f173.google.com [209.85.128.173]) by mx.groups.io with SMTP id smtpd.web11.4038.1724291027511798368 for ; Wed, 21 Aug 2024 18:43:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=QnAIiiq5; spf=pass (domain: linaro.org, ip: 209.85.128.173, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f173.google.com with SMTP id 00721157ae682-6b3afc6cd01so11965057b3.1 for ; Wed, 21 Aug 2024 18:43:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291026; x=1724895826; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SLHu6PRlZnCzW/rU1UEj78mshvoxk7WjoojsTwAZ3/I=; b=QnAIiiq5PmOBnxxCWnqm831lYUvQ9a47teDy3oTXV/nPH1pez/6rpt+jNkKV85H4Nq vAmXVj/ZsdxGjxKl5TXD73bDoVslJUow3UNWnY64mRwQGN4MRmlmXsnYNdXqTcfbGNw3 A8TekVQ0YWGyv0nVs6M6+lSIKKMEJQKEAFGH1GWCmNvVZsp9McSutrz8mbhKYZGDHnRy h3Jj7g0ApNcZFmb605z5O21yAoJJRz/o0w0rRvQsALQBvmaf2YxtrV+c3DVQCmvUtPJ6 H+t5+dTmXtGGRb5rULQYQe44TRAPCA8zxXvCX8h1WZ19dn+GnLzVevADmA8RyoMJWqhy 12Rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291026; x=1724895826; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SLHu6PRlZnCzW/rU1UEj78mshvoxk7WjoojsTwAZ3/I=; b=eoNYAhtu2xcIo0ip42z3Y5jOSL0IQUyu1XooB4TIVEAEL2TLMOPNzTFOAOByLhD0DG XLkXlUDvYRmqqX1jStOZVxBN0zHwClxJPAJcRleZKCQfDvfs06vMeeHuj81HngaAw4TB X6fZOrciIDQ6GvlvYnc1HaCr/NC8/+ZDDavgnIbarmINqcaGr8tLd+VaAeHcgsRJdf9C boW4vJ7fpFlGSmDBwG7e8S0kHAwsnZ4Bo1cLmHpoSdrJ6VlKluh8U0ONeg54Z7fjSUJ0 ls3z6o/yX/IBSku2/s1agLHMnu/TeLHQ39lffUVr+ZQ8JakGk4u+lmpzXcEttv4Acse9 vV1g== X-Gm-Message-State: AOJu0Yw751wgs/fSKdQd4syvAc4PlzLH72ycsgLuBYcnHStz4MmU0Rr0 SLmDobCMa26kciOxBq3mdyryKCiQvoOx4sJMiQBR4YyjfWzP7xsWqhIewjJ2gMUteRlKoM2duut O X-Google-Smtp-Source: AGHT+IE9OWRI3njPkULq/BdO5og6g6bL9i2OGaWns6ubu9LQvAKaGvvra2IlPxYfKJ9TdAcOfVcEEA== X-Received: by 2002:a05:690c:f94:b0:66b:c28b:f234 with SMTP id 00721157ae682-6c306357b9emr15734987b3.21.1724291026533; Wed, 21 Aug 2024 18:43:46 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:46 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 04/13] uefi-sb-keys.bbclass: Add class to validate UEFI keys Date: Wed, 21 Aug 2024 19:43:26 -0600 Message-ID: <20240822014335.3394568-5-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:48 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5994 Without UEFI keys, signing will fail and the OS will not boot. Signed-off-by: Javier Tia --- meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass new file mode 100644 index 00000000..e800b4c6 --- /dev/null +++ b/meta-arm/classes/uefi-sb-keys.bbclass @@ -0,0 +1,24 @@ +# Validate UEFI keys +python __anonymous () { + if d.getVar("UEFI_SB_KEYS_DIR", False) is None: + raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.") + + # keys used for UEFI secure boot + uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR") + + keys_to_check = [ + uefi_sb_keys + "/PK.esl", + uefi_sb_keys + "/KEK.esl", + uefi_sb_keys + "/dbx.esl", + uefi_sb_keys + "/db.esl", + uefi_sb_keys + "/db.key", + uefi_sb_keys + "/db.crt", + ] + + missing_keys = [f for f in keys_to_check if not os.path.exists(f)] + + if missing_keys: + raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), ) + + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys) + +} From patchwork Thu Aug 22 01:43:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48074 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18DBBC52D6F for ; Thu, 22 Aug 2024 01:43:58 +0000 (UTC) Received: from mail-yw1-f173.google.com (mail-yw1-f173.google.com [209.85.128.173]) by mx.groups.io with SMTP id smtpd.web10.4150.1724291028705999907 for ; Wed, 21 Aug 2024 18:43:48 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=g1dN9+SE; spf=pass (domain: linaro.org, ip: 209.85.128.173, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f173.google.com with SMTP id 00721157ae682-68d30057ae9so3293077b3.1 for ; Wed, 21 Aug 2024 18:43:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291027; x=1724895827; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jKeLT5wECjxCPh0q9TVfT28Dr9BXXolYW1ml7VAYpJM=; b=g1dN9+SEImPwWexkqCqT4/X6YIMuKwOr61pWmBGH7DAff2/+6PA2vpEouXm/vy7t0a IqwrRSB7rkqMGsTG8cKMy8YP9j5wptXM4+FWD2Bw28gwLJqNYFLzX4nrI9H67w9YY5f2 rvswCB84BdiQy7eSty4mgTrwP2FPKL5yT0crWgRLusySJc4qGpfJ/Wg5cAGMVxTdjeU/ 82mLcG4ZbAm7brIiV5y3W99m0D+yWVvZlQXI4BJfFpGyfRUaDUgXmz14wwrYFHrtyAV3 GEKmyc9fR7x+FPv7TmYiXGulNRL/aBzWYGEefV/xvJwGPt3MDtK7QqRXlOa0j/GgoR1z wHjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291027; x=1724895827; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jKeLT5wECjxCPh0q9TVfT28Dr9BXXolYW1ml7VAYpJM=; b=XCTJKjy5pUs3u/INJB1np4dgEBs9jYW2fSnPoP8T9XTpiEkYgjG2GKPDu1QbxZpFEp 46272noE9JGn9FWWLc9PmcshFtgwdjVaWorDurCTf4rwtlYjng7IMrtOfeA7dyHNaFlS BOm2+dBWSBC6EVwqb0NWfwynrEC/CnTvCKvKFe1BNxYW/H2nA5jN4KU6nZ20QKW1nyFC CAeYh5ANVHKHnp65ASdrIsZWrE1g/YLnqTGTAJFuIRXGq0WFyaX84TqA9op/GGHOc6W8 apDb0NIxgppW7QQtM9xC1pY3qQDUWsxxQZTVvO1Ebq/LGeISrHE6UFlHDIR481OmhUth 7ijg== X-Gm-Message-State: AOJu0YxfwWtjo9sd7mrIWaCyvgGBOuj9yM5c8EPSIjkMUcetvY/FhZLf JJYxtvo+7S4I+LqD/lqZ94zXP5KbcJeXOBDD82XO+jve9XnFnnSIjB4zjcstxfr85EPf3KNxCuD S X-Google-Smtp-Source: AGHT+IE21Dx7RFcLUpQgu2zmo93kapXCcQ7giJE7sFEJOkvZNnaABEUktMLb7OQ4d6vfA/RRUCMYsw== X-Received: by 2002:a05:690c:768b:b0:6b0:e813:753b with SMTP id 00721157ae682-6c3d60b85aemr4020857b3.38.1724291027645; Wed, 21 Aug 2024 18:43:47 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:47 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 05/13] sbsign.bbclass: Add class to sign binaries Date: Wed, 21 Aug 2024 19:43:27 -0600 Message-ID: <20240822014335.3394568-6-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5995 A lot of recipes are using these same steps to sign binaries for UEFI secure boot. Authored-by: Mikko Rapeli Signed-off-by: Javier Tia --- meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 meta-arm/classes/sbsign.bbclass diff --git a/meta-arm/classes/sbsign.bbclass b/meta-arm/classes/sbsign.bbclass new file mode 100644 index 00000000..a99c0218 --- /dev/null +++ b/meta-arm/classes/sbsign.bbclass @@ -0,0 +1,39 @@ +# Sign binaries for UEFI secure boot +# Usage in recipes: +# +# Set key and cert files in recipe or machine/distro config: +# SBSIGN_KEY = "db.key" +# SBSIGN_CERT = "db.crt" +# +# Set binary to sign per recipe: +# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign" +# +# Then call do_sbsign() in correct stage of the build +# do_compile:append() { +# do_sbsign +# } + +DEPENDS += "sbsigntool-native" + +SBSIGN_KEY ?= "db.key" +SBSIGN_CERT ?= "db.crt" +SBSIGN_TARGET_BINARY ?= "binary_to_sign" + +# makes sure changed keys trigger rebuild/re-signing +SRC_URI += "\ + file://${SBSIGN_KEY} \ + file://${SBSIGN_CERT} \ +" + +# not adding as task since recipes may need to sign binaries at different +# stages. Instead they can call this function when needed by calling this function +do_sbsign() { + bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}" + ${STAGING_BINDIR_NATIVE}/sbsign \ + --key "${UNPACKDIR}/${SBSIGN_KEY}" \ + --cert "${UNPACKDIR}/${SBSIGN_CERT}" \ + --output "${SBSIGN_TARGET_BINARY}.signed" \ + "${SBSIGN_TARGET_BINARY}" + cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned" + cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}" +} \ No newline at end of file From patchwork Thu Aug 22 01:43:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48077 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49D7AC5321E for ; Thu, 22 Aug 2024 01:43:58 +0000 (UTC) Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) by mx.groups.io with SMTP id smtpd.web11.4039.1724291029752937295 for ; Wed, 21 Aug 2024 18:43:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=YYweEaUW; spf=pass (domain: linaro.org, ip: 209.85.128.179, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-6c130ffa0adso4089787b3.3 for ; Wed, 21 Aug 2024 18:43:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291029; x=1724895829; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=d4QveURaOEPjRXZzrUewBCfHkU+UFxipcUv9I+R+wcQ=; b=YYweEaUWZuLeUa8DNuvdoakxJEb6BppDYNrEPN2CRRqpvzEVyHdk1mY4wuNUfZ5cZa EthxdJoUV1foI08quvG8gJ3G/SvXfolOP+QoKyBGH0a1Qm8yOqMosj7gf87HgeQViwIr Vkp3lgK/l9pFEP8hRzqYsDbdUv6H7ShtcWarTVuA8OhYqkrOMY4WpYYHrjqrit+4GSbB iM/aWCqZdVw8iph26ohTKoecr3k+MfHCM4Bkc4BHIdN0V7IHx/ICR9nRcUQjbtWgAQEH Op2C4mFRMPT0Vk0cJbHGe9AGxkEn3MUTArX8yktB56pefu9TQRMhy15yAPCIgn5iXLjt q/bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291029; x=1724895829; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=d4QveURaOEPjRXZzrUewBCfHkU+UFxipcUv9I+R+wcQ=; b=m7inUFgOZ+s7NDyUYxy8LSkbbcmu73YwL+lO/uDJV/zTeF0Y3M5hsxwIwkKWRc8nHC bBGPQiSCCgffxCmOnbCnKwq0KJCqNxXYsjsJbSgapQjYWBeVXQBbwutHt/LNg7++BJve mK8BgO158yLMrj+1EW6Il3y5MnJ3G9XxhASPqwOcroIpd9mbDUdYfqXuoxW/VzMxAAxD KUkX8snbbuPw3pMHtrVjmzlLQAmSITzOBeTvPSIW/BWQtl2+OjEI/36ot09XD56F+r8/ tVZCucv7X4yfaCis28oybVBxSiPp1OIA8sbJfYOQUICSuMszXQ2qgPicJBE2nxT9XwTB +24g== X-Gm-Message-State: AOJu0YyII25joWPLuVJM1DU6uCVrlUZimz78yvm6BeLdU2NaoCzKoRNc AnUhgCptirnMZE/O/a6N+N3UE1hgDHcUe5kVjacrUU7StOUesXkSFoWFx3+rhHAmE4aYnyJyV/v x X-Google-Smtp-Source: AGHT+IF1s6+yuQFPetnfl7rLSpxY4POrUFPU066x9thNcWb80eojxZbBgX+sUKUJbvhGOkiRiV6ZFQ== X-Received: by 2002:a05:690c:18:b0:646:25c7:178e with SMTP id 00721157ae682-6c09c1c02d7mr54286587b3.5.1724291028738; Wed, 21 Aug 2024 18:43:48 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:48 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 06/13] core-image-base: Inherit uefi-sb-keys Date: Wed, 21 Aug 2024 19:43:28 -0600 Message-ID: <20240822014335.3394568-7-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5996 Signed-off-by: Javier Tia --- .../recipes-bsp/images/core-image-base-uefi-secureboot.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc index 351e9030..2232d3b3 100644 --- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -1 +1,3 @@ +inherit uefi-sb-keys + WKS_FILE = "efi-disk-no-swap.wks.in" From patchwork Thu Aug 22 01:43:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48080 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5844CC5472E for ; Thu, 22 Aug 2024 01:43:58 +0000 (UTC) Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com [209.85.128.178]) by mx.groups.io with SMTP id smtpd.web10.4151.1724291030773666011 for ; Wed, 21 Aug 2024 18:43:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=ldKAk7AX; spf=pass (domain: linaro.org, ip: 209.85.128.178, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f178.google.com with SMTP id 00721157ae682-691c85525ebso3289157b3.0 for ; Wed, 21 Aug 2024 18:43:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291030; x=1724895830; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Y6cnGubIUPfqUNMZsTLbuxSnui3vnRbhrJbBfO5KvAM=; b=ldKAk7AX/PKxhm3jqObBZel5WcWw5h8xLr/vYiS5KGUWatl6nqI6u3QhHfK1XcbiD7 NnVYZKZwFvdNOIzO//aoNau/OIbHCdf9MQsDdcHyCZJI8CIGvq3VpU5GYMp8ETYAQ7eZ CNSrlgSn22apYc+c1qPj857IMWPaWOx9cy85ljAs6zjU9wbktv/a3EacYwjmadUFggwo u5klUycYZMOcKA3ir6FznPaiNvw9gorS0m3GImH5Cb+G9V3dKFdQYkA9/uP/Fvzs3ZnY tphBwTs/9GY/+0l5GZFwiQumejJghbAeD7tT4ubVcdaz1DraHkae1b1jJqGbkfRoW85j E5TA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291030; x=1724895830; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Y6cnGubIUPfqUNMZsTLbuxSnui3vnRbhrJbBfO5KvAM=; b=XFiEdppac0TGTLSuk6VWtrniV7xBVF90I192it1ODjkakyXPhOljfqaYKM2aTyAl2H XNawawGX4oeeq9+yYVw7Qd4TkpD3Tw/PNPvzTh1lCduL9iBeFPTFSY9Fc1UxFtdCc03D 4jQMvMnI1tH/pFVWtRp20ft55LWQSCQZJRIzuzbo5JSLugGXlJ1ntz6+TPU4Mpu1tiCW zEJDxfjNg1l/9W244at/cmwqzcboXsjnhn63Pbw8SB7C0eB+CDOUJJACCXv4+ZIPyoTk z+CSZ4Q8yaylYPKwe9o8ZPV8k0jz9Zuax7Sea2zXku7U+sug2RZEHn2VDJPYxxG1vf1l Vo5g== X-Gm-Message-State: AOJu0Yxcybif4XrWlFAHi2CCRrkSupSuFh0mT6V7WiL2D4lfj+yYY2mX YmKJejGe9uYIes0IFhW+R+ZgP4oAfhlodUwgtYY9B9FwRa84It354cvVbxcfxE79R+gpIJuEFtw C X-Google-Smtp-Source: AGHT+IHq0gljN/KYAqIMseWn1wb3Qhr/V75BJ1ARanFTKY4yE9oL2G2YC56LFQWeGQBnVYDId/r5vg== X-Received: by 2002:a05:690c:7087:b0:6be:97e7:ff76 with SMTP id 00721157ae682-6c09cd4e756mr51306977b3.11.1724291029818; Wed, 21 Aug 2024 18:43:49 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:49 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 07/13] meta-arm: Introduce gen-uefi-sb-keys.bb recipe Date: Wed, 21 Aug 2024 19:43:29 -0600 Message-ID: <20240822014335.3394568-8-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5997 Generate a new set of keys on build time. It avoids to use same keys which could generate a security issue. Signed-off-by: Javier Tia --- meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++ meta-arm/uefi-sb-keys/.gitignore | 4 ++ meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 56 +++++++++---------- 3 files changed, 57 insertions(+), 29 deletions(-) create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb create mode 100644 meta-arm/uefi-sb-keys/.gitignore diff --git a/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb new file mode 100644 index 00000000..a4ae6d87 --- /dev/null +++ b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: MIT + +SUMMARY = "Generate UEFI keys for secure boot" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +DEPENDS += "bash-native" +DEPENDS += "coreutils-native" +DEPENDS += "efitools-native" +DEPENDS += "openssl-native" + +SRC_URI = "file://${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh" + +UNPACKDIR = "${S}" + +do_fetch[noexec] = "1" +do_patch[noexec] = "1" +do_compile[noexec] = "1" +do_configure[noexec] = "1" + +do_install() { + ${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh ${UEFI_SB_KEYS_DIR} +} + +FILES:${PN} = "${UEFI_SB_KEYS_DIR}/*.key" +FILES:${PN} += "${UEFI_SB_KEYS_DIR}/*.crt" diff --git a/meta-arm/uefi-sb-keys/.gitignore b/meta-arm/uefi-sb-keys/.gitignore new file mode 100644 index 00000000..f8669919 --- /dev/null +++ b/meta-arm/uefi-sb-keys/.gitignore @@ -0,0 +1,4 @@ +*.auth +*.crt +*.esl +*.key \ No newline at end of file diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh index fc7f25c9..21e65c72 100755 --- a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh @@ -1,35 +1,33 @@ -#/bin/sh +#!/bin/bash +# +# SPDX-License-Identifier: MIT +# set -eux -#Create PK -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl -sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth +KEYS_PATH=${1:-./} +SUBJECT="/CN=Linaro_LEDGE/" +GUID="11111111-2222-3333-4444-123456789abc" -#Create KEK -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl -sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth +openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \ + -keyout "${KEYS_PATH}"/PK.key -out "${KEYS_PATH}"/PK.crt \ + -nodes -days 3650 +cert-to-efi-sig-list -g ${GUID} \ + "${KEYS_PATH}"/PK.crt "${KEYS_PATH}"/PK.esl +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/PK "${KEYS_PATH}"/PK.esl "${KEYS_PATH}"/PK.auth -#Create DB -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl -sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth - -#Create DBX -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl -sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth - -#Sign image -#sbsign --key db.key --cert db.crt Image - -#Digest image -#hash-to-efi-sig-list Image db_Image.hash -#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth - -#Empty cert for testing -touch noPK.esl -sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth +for key in KEK db dbx; do + openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \ + -keyout "${KEYS_PATH}"/${key}.key -out "${KEYS_PATH}"/${key}.crt \ + -nodes -days 3650 + cert-to-efi-sig-list -g ${GUID} \ + "${KEYS_PATH}"/${key}.crt "${KEYS_PATH}"/${key}.esl + sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/${key} "${KEYS_PATH}"/${key}.esl "${KEYS_PATH}"/${key}.auth +done +# Empty cert for testing +touch "${KEYS_PATH}"/noPK.esl +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/PK "${KEYS_PATH}"/noPK.esl "${KEYS_PATH}"/noPK.auth From patchwork Thu Aug 22 01:43:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48081 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A1EAC5472D for ; Thu, 22 Aug 2024 01:43:58 +0000 (UTC) Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170]) by mx.groups.io with SMTP id smtpd.web10.4154.1724291032047436550 for ; Wed, 21 Aug 2024 18:43:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=gipI6bAZ; spf=pass (domain: linaro.org, ip: 209.85.128.170, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-68518bc1407so3738927b3.2 for ; Wed, 21 Aug 2024 18:43:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291031; x=1724895831; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4i8i4tDl/w+2Hz1m76fbFHZdoBoOcID//NRfTskNKvw=; b=gipI6bAZhqsbVnBUCP7FAMO5X+xufmhfdkepr1Npfdb1tSP42i+ITpdcxCvEsuiENA dhRn2Pla9H/YB0TeE5ROR3UuAbcgxBUjfH253YNVo2CpVSqrY/F/aPcpHCT69VaSe8wr PoQ2cvpI4a+DBgECqrFahs/28PBFR9CxgnbTTnYk/IZFBnEMh4ytTqnA+z3Xiuvj2JTw A6ohA9gMrDRRY90Quie98jXeQ1Og/IpZ0Suu5j1eCVxFv1n1Ak4+ubLXjZoOy3FgD2iz y+Za6x633mVl4m3lbMNoNva+GuN6wrwIBlRCAzHyGl6tw8C12P8eeY6yzhBV4ZhLc5cT A4RA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291031; x=1724895831; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4i8i4tDl/w+2Hz1m76fbFHZdoBoOcID//NRfTskNKvw=; b=gEMnFU4lBtG1mm0l9hcKFiJYDhhnviDRQK2ZF2Avt5VOr4Fu5IdfVg27sCoC5zloJr kYvKVpZoWQJ0Ovaw4Q1k+PidbWjQBGp++NPAsebvDA28+zSU9otEYC7VTFFmYq0Ekyec +qf8+onJ6+o8FXrv8AyvbIPhPtMBa+9+ODmNih5BbZwlMVQKxF1Tmtx8/J95lak47Mem Bt5SqNTN6YnZmZqQd688D+pKH1p3phaeyNXGVbiWPAyOWvPgNp5IDTZwcL+Gbp4M66ex 0Vn0CqKYpJLp7kioaSdIlO/vY1CgWDNIiuzsnvll10we7LFzaYl2RNntCFv8imEuHTOq u1rg== X-Gm-Message-State: AOJu0YySll6DUOOiv4WJdmGCVjUjx2wTu/HnHLNA+B5dZQcPFxKzOCPJ iKm0TpJVNMI6bx3EQEGEOlfic9vxOlDcN+ByY3xS8UHORMO6nvKG2094Mj8VoklvjTQTRFtHUqo u X-Google-Smtp-Source: AGHT+IERBpv9KA5aPLYSKpLN+cMDbmtTUGYoBPOAFSverfy8ZCENdAajSSSKaSflKpitwpxZsd1xVA== X-Received: by 2002:a05:690c:f10:b0:64b:75d8:5002 with SMTP id 00721157ae682-6c3d149f64amr4524527b3.9.1724291031048; Wed, 21 Aug 2024 18:43:51 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:50 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 08/13] u-boot: Setup UEFI and Secure Boot Date: Wed, 21 Aug 2024 19:43:30 -0600 Message-ID: <20240822014335.3394568-9-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5998 Add U-Boot minimal UEFI definitions. Embedded UEFI variables with the keys previously generated. It's to enable UEFI Secure Boot and verify the authenticity of the firmware and operating system. When U-Boot is built with UEFI support, it includes a set of efivars that are used to store the Secure Boot variables. These efivars are embedded in the U-Boot binary and are stored in the flash memory of the system. Signed-off-by: Javier Tia --- .../u-boot/u-boot-qemuarm64-secureboot.inc | 18 ++++++++++++++++++ .../u-boot/u-boot/uefi-secureboot.cfg | 10 ++++++++++ .../recipes-bsp/u-boot/u-boot_%.bbappend | 2 +- 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc new file mode 100644 index 00000000..ffad08e4 --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc @@ -0,0 +1,18 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://uefi-secureboot.cfg" + +UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm" +UBOOT_ENV_NAME = "qemu-arm.env" + +DEPENDS += 'python3-pyopenssl-native' + +do_compile:prepend() { + export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 + + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk -d "${UEFI_SB_KEYS_DIR}"/PK.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db -d "${UEFI_SB_KEYS_DIR}"/db.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file + "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var +} diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg new file mode 100644 index 00000000..d2edb5fb --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg @@ -0,0 +1,10 @@ +CONFIG_CMD_BOOTMENU=y +CONFIG_USE_BOOTCOMMAND=y +CONFIG_BOOTCOMMAND="bootmenu" +CONFIG_USE_PREBOOT=y +CONFIG_EFI_VAR_BUF_SIZE=65536 +CONFIG_FIT_SIGNATURE=y +CONFIG_EFI_SECURE_BOOT=y +CONFIG_EFI_VARIABLES_PRESEED=y +CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" +CONFIG_PREBOOT_DEFINED=y \ No newline at end of file diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend index 11f332ad..ee815b6a 100644 --- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend @@ -5,6 +5,6 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc" MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc" MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc" MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc" +MACHINE_U-BOOT_REQUIRE += "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}" require ${MACHINE_U-BOOT_REQUIRE} - From patchwork Thu Aug 22 01:43:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48078 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 36CB7C5321D for ; Thu, 22 Aug 2024 01:43:58 +0000 (UTC) Received: from mail-yw1-f172.google.com (mail-yw1-f172.google.com [209.85.128.172]) by mx.groups.io with SMTP id smtpd.web11.4040.1724291033154939382 for ; Wed, 21 Aug 2024 18:43:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=SuX7vzUc; spf=pass (domain: linaro.org, ip: 209.85.128.172, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f172.google.com with SMTP id 00721157ae682-6b8d96aa4c3so3204737b3.1 for ; Wed, 21 Aug 2024 18:43:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291032; x=1724895832; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=c5+tBxeFbiWkfJkiZMiVStk0WUgY+OMHmCiMHBeRQPM=; b=SuX7vzUcx7padaCNgq+b2qFSHbS0lhsNDxHTcOo43n8xDSlue7mpt21i4G7ppc/p+x 2/Z0/GivD+MMg75xhBTrpZSoC7PPKZ3YiOKa3h8aMOUv5l1mpPsixEO54p4APzIILSUi fb0Gn1AIIt8cRM+nWzQejW+TC9/kMwTtZ/nxBKeZjBr8W2chpKLQm9dt6oopE40+C2Sy O2fE/TZzaPJ/rBnFdLIdUSeuWe3L9XIdT2GCtxBg187eV2FCbK6Z/jdBHmCC0S+VWX+0 ewE4kTjnUiadoR3AEfmyuZqeTbuq2ZmNrIFYE1KvQO4rE1kbBMHYaGc8Qo1y0rTkQ0Qu Ixog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291032; x=1724895832; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=c5+tBxeFbiWkfJkiZMiVStk0WUgY+OMHmCiMHBeRQPM=; b=rP57ZmINazbEvsTQzZwG6ZhhzKpXQBMOXvHjayPhEubEJAZ6LvrZ2xGT3za1Z3i0Gm fbzH6B2XsMSo/sHhvqUtzZI0VCFpMxaUUCz9UgWREdaq0aifwn1/HMIOoMHoXfhRPKG+ JJAu+g2EXaCbWKB3PufRDqJxTqIpWCMk/yhb4e1LoWJbIfbWKgdi8r9bdBBOLZztTW5S gRyy1sjyO6n6zcrhaBWumItkryDlwsIv97/cJOpBKoOTe53hqPDu0BnBbQzxtcgp743y GWbJfdzBx/i8Vy2CZQ6brdnumQqI7K6QzNaAKZYuJFKXcVM4GisIT09LH4wdjaVybjjb kF+Q== X-Gm-Message-State: AOJu0Yw3SGH91AiGGpbQ75Kg3CML6voRwpbe39FE6WFbMp7OnlzIH81m 09H9ZMgfdh9Hv8z60nx03j33bwt7eh3pC8ww0Do1LuLi9sfxzhpiyLfOL6EBIGqb39fUia+yCXL 9 X-Google-Smtp-Source: AGHT+IE9ug0jzwpgVZEpwL1cKdT0A8eNpLtgEOkEZssLvu5gDm1s2yp1BJeMItNB2/9Aiq46UzbafQ== X-Received: by 2002:a05:690c:e1f:b0:6ad:91df:8fad with SMTP id 00721157ae682-6c09e65fa77mr56226337b3.26.1724291032110; Wed, 21 Aug 2024 18:43:52 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:51 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 09/13] qemuarm64-secureboot: Add meta-secure-core layer as dependency Date: Wed, 21 Aug 2024 19:43:31 -0600 Message-ID: <20240822014335.3394568-10-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/5999 meta-secure-core is required because of sbsigntool. Signed-off-by: Javier Tia --- ci/qemuarm64-secureboot.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml index b26941e0..958a1ff1 100644 --- a/ci/qemuarm64-secureboot.yml +++ b/ci/qemuarm64-secureboot.yml @@ -4,13 +4,15 @@ header: version: 14 includes: - ci/base.yml - -machine: qemuarm64-secureboot - -target: - - core-image-base + - ci/meta-openembedded.yml + - ci/meta-secure-core.yml local_conf_header: optee: | IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta" TEST_SUITES:append = " optee ftpm" + +machine: qemuarm64-secureboot + +target: + - core-image-base From patchwork Thu Aug 22 01:43:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48076 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A0A5C5472C for ; Thu, 22 Aug 2024 01:43:58 +0000 (UTC) Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) by mx.groups.io with SMTP id smtpd.web11.4041.1724291034313872862 for ; Wed, 21 Aug 2024 18:43:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=WkDyJX2R; spf=pass (domain: linaro.org, ip: 209.85.128.182, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-690b6cbce11so3392187b3.2 for ; Wed, 21 Aug 2024 18:43:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291033; x=1724895833; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MNiYqaJ6/dp6Rz4Asy2D9hWleJVQzKyC4j+Ug6hTpEI=; b=WkDyJX2RYnTqTP+ffmTEXUoeBO5mzjvBk3FtdF6YmrnOD6f9Cp+IoUjNzkxpmKr1Mi NuV1I0RORPLKzzZYX5cO136yYoovOxmreN3kIJT6M9VuyrVxTFnJlfUzxRokqVejpqIG p2vlS7K5AzPh2aeFH4uOlUwqfDZa+s00QQJyivuJiIMipcBTil2bHRz8J17+p4GhuvG4 e5cm/Z50igjgBSzg/JleCvrmMN37CnqAjmKSk3fIh8Hcxo2vQcy9QZQpoLFwpI1uv2Mw OYQVNvRJOnEOzcrf8zcLFXLzqH2XwrIkK5pQImFolKo4FIkBwTc3Ac9hdfSjz01c8Mdw PZ4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291033; x=1724895833; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MNiYqaJ6/dp6Rz4Asy2D9hWleJVQzKyC4j+Ug6hTpEI=; b=XLwXDoGdjyHx1DqONbo3V3UzP97DMYrOh5WNP7HXqARZJrlpyh0PMDO2OySUdzITb4 IiDKuJip3rj4Clj41Ei0DmsPvRwObJa1r98ANZLlpwR08PcEsF8tJobpy9oumznuSE+g oa93lJj+f6MdGnsL/dTIHQcV8bEKb/9E3+/wJeI4EvWSJiyMrKqlEv9wZCtfcom89Le5 EvLcA0nPGHJ0RsnWzTHLqB92eyDgR0dclkXEbLhxCp75ISeeN2d5cmvpmQo+UjscGByp 5ZEt88aKN6aazic9qyPc4Z9bB3+iA5xd7K3EGAZqxsEl6LcEELE3CFqT/MRnYM6LjYZm 4P4Q== X-Gm-Message-State: AOJu0Yxf89qrXX7yIgI0l0lZ1aiSpnPICOJ0Avm+a6LWC9zI1P9aw3PT PtEbDkJpLWHIJnN933BD2MMMHYxMygxfbWfVuhi7065nc/tBo2UKnvBz2QrajU33MoJ6X6IFIlp I X-Google-Smtp-Source: AGHT+IH+/gpoANLQ/c1lekXiFclygZWK3q1+u16Iel0pTRjk5D+lzu8KQUzukfzB86mrZ/o+FCJQkg== X-Received: by 2002:a05:690c:580f:b0:6c1:2b6d:1964 with SMTP id 00721157ae682-6c3d5fc1af0mr3113477b3.38.1724291033365; Wed, 21 Aug 2024 18:43:53 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:52 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 10/13] linux-yocto: Setup UEFI and sign kernel image Date: Wed, 21 Aug 2024 19:43:32 -0600 Message-ID: <20240822014335.3394568-11-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6000 efivarfs kernel module is required to access EFI vars. Signed-off-by: Javier Tia --- .../core-image-base-uefi-secureboot.inc | 8 ++++++++ .../linux/linux-yocto%.bbappend | 2 ++ .../linux/linux-yocto-uefi-secureboot.inc | 19 +++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc index 2232d3b3..06046f6e 100644 --- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -1,3 +1,11 @@ inherit uefi-sb-keys WKS_FILE = "efi-disk-no-swap.wks.in" + +# Detected by passing kernel parameter +QB_KERNEL_ROOT = "" + +# kernel is in the image, should not be loaded separately +QB_DEFAULT_KERNEL = "none" + +KERNEL_IMAGETYPE = "Image" diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend index a287d0e1..29c21355 100644 --- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend +++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend @@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \ FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}" require ${FFA_TRANSPORT_INCLUDE} + +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)} \ No newline at end of file diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc new file mode 100644 index 00000000..cb62fdee --- /dev/null +++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc @@ -0,0 +1,19 @@ +KERNEL_FEATURES += "cfg/efi-ext.scc" + +DEPENDS += 'gen-uefi-sb-keys' + +inherit sbsign + +SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key" +SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt" + +# shell variable set inside do_compile task +SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE" + +do_compile:append() { + KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit) + do_sbsign +} + +RRECOMMENDS:${PN} += "kernel-module-efivarfs" +RRECOMMENDS:${PN} += "kernel-module-efivars" From patchwork Thu Aug 22 01:43:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48079 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 580D9C54722 for ; Thu, 22 Aug 2024 01:43:58 +0000 (UTC) Received: from mail-yw1-f181.google.com (mail-yw1-f181.google.com [209.85.128.181]) by mx.groups.io with SMTP id smtpd.web11.4043.1724291035653159090 for ; Wed, 21 Aug 2024 18:43:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=yl2Xi5nD; spf=pass (domain: linaro.org, ip: 209.85.128.181, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f181.google.com with SMTP id 00721157ae682-690e9001e01so3385857b3.3 for ; Wed, 21 Aug 2024 18:43:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291034; x=1724895834; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=h78nR8U3XGeppnR8tMm/5NKKjqRIM74r32yU07YeEzU=; b=yl2Xi5nDRDiLsA6a2JO06qBD+Pe37U6ZiDZYfwrBMeyUGghtFZECKlsAEq4L+xU80Y 6w8YqqS+EMlpeRE+N2R+A/lPUk2cBj/kRlUD1K6zQBPeUy9PgusI1mxBN+U+QIN7JP2A wAbadNP0Lnw+1cdwoc39rUZCSgd0VUNQJn8MU1km4wiA+vraOdEiNDyySG/if303cLyb 7n94FwpmaLE5QwSyI16CMAJbB6KS6ifcIcxA16NBUSLFF2X9AsWwKBOugkDI9sat4lop WBCWvFEGTwNXaWXPWBgtGhXJ3lRxeNDWj0L8ZaoDtIzXhnb1DTMhYNZNSXg+bfELsNiK f/og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291034; x=1724895834; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=h78nR8U3XGeppnR8tMm/5NKKjqRIM74r32yU07YeEzU=; b=Z6Xfq+aJ6pER6+mqFKmw/TDPMwPchv/syML/C6ATKAL+3d07dFUuFtSYAGcufHOJ+j Fg2eK6fJ2TLSFLQ83DDuT2Bk8PYBBwADhid/Btr7WhewvPn73U9jckSDqSt6HsjVsT7q AafxekYoUJAL7XW8BxrxSFnk5LDZNqwaylMOl2Obz6GREbxqGT4hOMNFt5k6zrye7X6Z fQJUu04PP9nr2US52+oQ4qdNsVa70SLugKkSv0q9tHd9kxwq3ugmnoPLDMy2Q5YyQuvg rR26PPDrmoq+wjapNGVQfAEe6R5AYQFmlIM9Zkv4y0RCLti6Jm062wM3i8AdL6pILqq0 Wgfg== X-Gm-Message-State: AOJu0Yz5EqTeT5IWbHKKp7C5s6BXUbxBMI6RfOw5w4QNMZJlfYSK/As8 KH0+4tofFUFJEZV/JnHySN1lPLoV5X5jR7jQc3tyw2S790NcvYfysJ8oIBQN/195Q+f5HCTi4x1 x X-Google-Smtp-Source: AGHT+IHgsXgZFUto1mCj2Zby5wcloL2ledbHipIMDUpRPg9mMk46JaUBaOmuo3NHyV7R1ZVWNWlL+g== X-Received: by 2002:a05:690c:418f:b0:65f:9451:13dd with SMTP id 00721157ae682-6c3d62a3d7cmr3295437b3.42.1724291034555; Wed, 21 Aug 2024 18:43:54 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:54 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 11/13] systemd: Add UEFI support Date: Wed, 21 Aug 2024 19:43:33 -0600 Message-ID: <20240822014335.3394568-12-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6001 Signed-off-by: Javier Tia --- .../recipes-bsp/images/core-image-base-uefi-secureboot.inc | 2 ++ meta-arm/conf/machine/qemuarm64-secureboot.conf | 5 +++++ meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + meta-arm/recipes-core/systemd/systemd_%.bbappend | 1 + 4 files changed, 9 insertions(+) create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc index 06046f6e..07e315a3 100644 --- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -9,3 +9,5 @@ QB_KERNEL_ROOT = "" QB_DEFAULT_KERNEL = "none" KERNEL_IMAGETYPE = "Image" + +IMAGE_INSTALL += "systemd" diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf index 6789b1c6..d6a7e22b 100644 --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -25,4 +25,9 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" MACHINE_FEATURES += "optee-ftpm" +MACHINE_FEATURES += "efi" MACHINE_FEATURES += "uefi-secureboot" + +INIT_MANAGER = "systemd" +DISTRO_FEATURES += "systemd" +DISTRO_FEATURES_NATIVE += "systemd" diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc new file mode 100644 index 00000000..5572e51a --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-efi.inc @@ -0,0 +1 @@ +PACKAGECONFIG:append = " efi" diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 00000000..660358c2 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)} From patchwork Thu Aug 22 01:43:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48075 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18ECFC52D7C for ; Thu, 22 Aug 2024 01:43:58 +0000 (UTC) Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com [209.85.128.178]) by mx.groups.io with SMTP id smtpd.web11.4044.1724291036695156983 for ; Wed, 21 Aug 2024 18:43:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=rblwELXs; spf=pass (domain: linaro.org, ip: 209.85.128.178, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f178.google.com with SMTP id 00721157ae682-6bd3407a12aso3405237b3.3 for ; Wed, 21 Aug 2024 18:43:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291036; x=1724895836; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=uZyqnpDgh+apJec1H7CpeIJ27iw+lfaisWYZY4N7CEI=; b=rblwELXs0Ru1aOryXTbFjp5ERD3S3rpD9pe9hYGsW7+fIDRCP3QjFEdCQ3NUQdm6Zj pPr5xKJpihfU7wAMprm9NqtjikIu0S2yHC24sv693sf+sfEpx/zW21QT7/rkCabA42Ty 6H6jZ97OpjX/YNgkgcjtNCkH/8xg3DeEPEvF40IpuCR9+1Fqspm1mfWM/rre0YjIcoTE rvx8B00DxWljkufR5DOBefZ3t+VorabogNdYcIrYRxxzPff2kySTloUzY+hIAGP32VJQ my/ykC9m5dPJS+psHJ6TzzO/GRuD0ZX311fqQMGMYKFw84QeCVVgmxnMYr+fO5d93X0k GF0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291036; x=1724895836; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uZyqnpDgh+apJec1H7CpeIJ27iw+lfaisWYZY4N7CEI=; b=OFQYxg9toU1lCXUVOd6i4distzubXe//UaEYiGWRVmM0KKb7sohY108R5e73xtIp+p +rEhh0cDyzEZi+YT2siZzl8yHKAn6vInxLx+98Ivgp8IxwaBDE7mbE0+W15E+HtAG/nc wH7Fp07WbpFBjhzh1HedP6aBe/QCTg8UbRFUaNKSDNnonvyxvu9TDWUyCr1N6VczY8fQ FjaYOf17YGFZOWVd5XcwpVUYwdXEUSJcMVRhQArENPyc5NWcOi8qUVYXhU2xOpnzE2Jc xvQakBR7P/Tl6UeUyi059hJmmxqAElu+Dg4eqqGyCbbA8pn6PORhuCZy/BnMe7sZ4a99 /AjQ== X-Gm-Message-State: AOJu0Yz4m8SMyYxd4VCE6IgBJbnoP32klzmCSQ5GedrbadCjlXtBY7U+ r3SyOREg/QJNJlc9EUmhPDGvYQ/VROGOVr9tqQXDGe4YwcsPHbqdIEk1cEBjsr5cL5HwU20Bf+R N X-Google-Smtp-Source: AGHT+IHmnHin5abAWBFIqQx63bHJamo/DHlrwgZ3bz+zGv8SyzuwvGLCW7OPY0tWU+nLAzGfgvJkkg== X-Received: by 2002:a05:690c:5241:b0:6ad:deef:4abc with SMTP id 00721157ae682-6c3d561ae6emr3275817b3.36.1724291035652; Wed, 21 Aug 2024 18:43:55 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:55 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 12/13] systemd-boot: Use it as bootloader & sign UEFI image Date: Wed, 21 Aug 2024 19:43:34 -0600 Message-ID: <20240822014335.3394568-13-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6002 As qemuarm64-secureboot is already using systemd as Init manager, use too systemd-boot as bootloader. It has a simpler and more intuitive configuration format compared to grub. It uses a single configuration file that is easy to understand and modify. Signed-off-by: Javier Tia --- .../images/core-image-base-uefi-secureboot.inc | 2 +- meta-arm-bsp/wic/efi-disk-no-swap.wks.in | 2 +- meta-arm/conf/machine/qemuarm64-secureboot.conf | 2 ++ .../systemd/systemd-boot-uefi-secureboot.inc | 12 ++++++++++++ .../recipes-core/systemd/systemd-boot_%.bbappend | 1 + 5 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc index 07e315a3..e5cf7760 100644 --- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -10,4 +10,4 @@ QB_DEFAULT_KERNEL = "none" KERNEL_IMAGETYPE = "Image" -IMAGE_INSTALL += "systemd" +IMAGE_INSTALL += "systemd systemd-boot" diff --git a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in index 6ae7ad9d..6d77d3aa 100644 --- a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in +++ b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in @@ -7,4 +7,4 @@ part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --exclude-path boot/ -bootloader --ptable gpt --timeout=1 --append="${GRUB_LINUX_APPEND}" +bootloader --ptable gpt --timeout=5 --append="${LINUX_KERNEL_ARGS}" diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf index d6a7e22b..2f40d360 100644 --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -28,6 +28,8 @@ MACHINE_FEATURES += "optee-ftpm" MACHINE_FEATURES += "efi" MACHINE_FEATURES += "uefi-secureboot" +EFI_PROVIDER = "systemd-boot" + INIT_MANAGER = "systemd" DISTRO_FEATURES += "systemd" DISTRO_FEATURES_NATIVE += "systemd" diff --git a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc new file mode 100644 index 00000000..c0753614 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc @@ -0,0 +1,12 @@ +DEPENDS += 'gen-uefi-sb-keys' +DEPENDS += "sbsigntool-native" + +inherit sbsign + +SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key" +SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt" +SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi" + +do_compile:append() { + do_sbsign +} diff --git a/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend new file mode 100644 index 00000000..caba9830 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)} \ No newline at end of file From patchwork Thu Aug 22 01:43:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48082 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A7A8C54730 for ; Thu, 22 Aug 2024 01:43:58 +0000 (UTC) Received: from mail-yw1-f176.google.com (mail-yw1-f176.google.com [209.85.128.176]) by mx.groups.io with SMTP id smtpd.web10.4157.1724291037964108699 for ; Wed, 21 Aug 2024 18:43:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=aHXlwSls; spf=pass (domain: linaro.org, ip: 209.85.128.176, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f176.google.com with SMTP id 00721157ae682-6c0e22218d0so4363807b3.0 for ; Wed, 21 Aug 2024 18:43:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724291037; x=1724895837; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=2Sw6qgwfeoRcTz5HRF/e7ri5lXvqhu/5iyjFHNupvjw=; b=aHXlwSls4f/6VGyyUNCbv17SgWiuC/zUoasJjHYR7CrA5BDZWeI7YPaGQn2tKFmVSB jravTonZL7uHvRh+DRg5JkBNwixrYoHXOviE72SaA91nM8QcXoioElTLVso/vRq6huOb jKBIJUPZJhnFESTFG6so50mtljRWEAT98azE8ILb+LVRxFQeNaM/82uNnZgQEXhYG6b8 IzmCIc+4t6ymUI/RcS5fdnS8a5ldQlhkEK8R1Of/ZA/7CIt/bKukDmYH4z0eHb2oRR78 cq4A3H/RMth9nHE7pMDYQbFhYO2ONFYi0W5DYvF+rsigwWtjLUcdaDW0tKaGKsh6hH9i m9sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724291037; x=1724895837; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2Sw6qgwfeoRcTz5HRF/e7ri5lXvqhu/5iyjFHNupvjw=; b=wYzAJtpp2Zs0cIG7VV+Jo6E+ayvIr2OO/2nFmL9lrF3HDbzxS7TwmoHVRieVD24TFk g86R8bGgTvYYlbbIFybBEacVXEa2evmwna/64vD+RWVYx1krakjFmTC0EFii7dCR+11Q pG2Jgor2XGoIawcvOh4fG3ME/yjFX9eZQWFM5XqCxPjKS+LsLUq21rhOfy5l1ahYp2Gr v9QEMId3PaeguJYG99C0QBI7qBWWEKmwpTEmlJ3kmYDyAy+QTawA8b9k6XFMbpHMJUem 1leuKlUbcJPZ89ByQMJR0PCT/18SEkacU9xhwAzNVFb+7cXw+pQE92EydqQN1fNXd6Kc AivQ== X-Gm-Message-State: AOJu0YxED8JUlC3nc4u15bcA43PvnsSlx3c6+ZGu4boksF+JhT5I735+ x6hNr11qtRngegntwrU9s/D0reiCcb0Ut0Bo0mKOaXImzSw64a7E6LRx0pZTMqg7O9YrCJ6TRJy k X-Google-Smtp-Source: AGHT+IHG39C9fVSOgxui66mxzIuMRERVEIUxSa+StlzHQfi015+h8zoIvIE+p8QvrfTvaPAnkgkQpA== X-Received: by 2002:a05:690c:6305:b0:648:bca0:1e71 with SMTP id 00721157ae682-6c3d542f438mr4655827b3.35.1724291036855; Wed, 21 Aug 2024 18:43:56 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6c39e6eae07sm707757b3.145.2024.08.21.18.43.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 18:43:56 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v3 13/13] meta-arm: Add UEFI Secure Boot test Date: Wed, 21 Aug 2024 19:43:35 -0600 Message-ID: <20240822014335.3394568-14-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240822014335.3394568-1-javier.tia@linaro.org> References: <20240822014335.3394568-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 22 Aug 2024 01:43:58 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6003 Add a test to verify UEFI Secure Boot is enabled Run the test: kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml' Signed-off-by: Javier Tia --- ci/qemuarm64-secureboot.yml | 2 ++ .../core-image-base-uefi-secureboot.inc | 6 +++- .../oeqa/runtime/cases/uefi_secure_boot.py | 32 +++++++++++++++++++ 3 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml index 958a1ff1..02341934 100644 --- a/ci/qemuarm64-secureboot.yml +++ b/ci/qemuarm64-secureboot.yml @@ -11,6 +11,8 @@ local_conf_header: optee: | IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta" TEST_SUITES:append = " optee ftpm" + uefi_secure_boot: | + TEST_SUITES:append = " uefi_secure_boot" machine: qemuarm64-secureboot diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc index e5cf7760..ce64b8b5 100644 --- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -10,4 +10,8 @@ QB_DEFAULT_KERNEL = "none" KERNEL_IMAGETYPE = "Image" -IMAGE_INSTALL += "systemd systemd-boot" +IMAGE_INSTALL += "systemd systemd-boot util-linux coreutils efivar" + +inherit extrausers + +EXTRA_IMAGE_FEATURES += "allow-root-login empty-root-password" diff --git a/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py new file mode 100644 index 00000000..4a62b54c --- /dev/null +++ b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py @@ -0,0 +1,32 @@ +# +# SPDX-License-Identifier: MIT +# + +import os + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.oetimeout import OETimeout + + +class UEFI_SB_TestSuite(OERuntimeTestCase): + """ + Validate Secure Boot is Enabled + """ + + @OETimeout(1300) + def test_uefi_secure_boot(self): + # Validate Secure Boot is enabled by checking + # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot. + # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known + # identifier for the Secure Boot UEFI variable. By checking the value of + # this variable, specifically + # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine + # whether Secure Boot is enabled or not. This variable is set by the + # UEFI firmware to indicate the current Secure Boot state. If the + # variable is set to a value of '0x1' (or '1'), it indicates that Secure + # Boot is enabled. If the variable is set to a value of '0x0' (or '0'), + # it indicates that Secure Boot is disabled. + cmd = "efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot" + status, output = self.target.run(cmd, timeout=120) + self.assertEqual(output, "1", msg="\n".join([cmd, output]))