From patchwork Thu Aug 29 16:31:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48476 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1067DC83F36 for ; Thu, 29 Aug 2024 16:32:16 +0000 (UTC) Received: from mail-yb1-f171.google.com (mail-yb1-f171.google.com [209.85.219.171]) by mx.groups.io with SMTP id smtpd.web10.24027.1724949134998796790 for ; Thu, 29 Aug 2024 09:32:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=pZzsTaMA; spf=pass (domain: linaro.org, ip: 209.85.219.171, mailfrom: javier.tia@linaro.org) Received: by mail-yb1-f171.google.com with SMTP id 3f1490d57ef6-e16518785c2so676811276.1 for ; Thu, 29 Aug 2024 09:32:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949134; x=1725553934; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LMpNLFad0fnZ9COQxAZrqTq/H7kJW6ncrx+ZFcBS9P4=; b=pZzsTaMAaUp0NnFT4zZ595RJtYuhBEZv3RhSpplV/gC7YY4AV+tUo4TRH92O3uBuxC bBuluuT0cNXtp1sdG5kh6ZPlQtua59Q29bR2XYSypEacqPwj3uzSzoCtoOgMFcEFnbQx EZdyRdg+Kp222BYdF9Sr4IiBFxnSFnPjdr7H8wKTkI0EeeOwkunKiTtrxVuL+O6H7LuN 229tE3MLo+KltwE8R8H+qCUva+m/UoW8dYPuZp3wQVI8apUnofpTKawPNKvz9MTvDnl/ P/CZtDjuUacJrWO/LXiMVOfMGhNU1c3u/mt2u/1Wvg9AO4SgbZEnozO6KCLmzBe34agm fM3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949134; x=1725553934; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LMpNLFad0fnZ9COQxAZrqTq/H7kJW6ncrx+ZFcBS9P4=; b=q+SsQErujJgOyb+yllXyzGgZjs4mlW5/zxBprN7zEBv6FR7ZKo8u3DjylJmaXN9taG PAed/4HAvI3Y+UXIFKpaX5OyAjCJLGU6+nG4nARRMqqcE9S3kdrZgLx8NwCVD0pWOdQs 6QcplxSlPhiVqDropBlNLe0ulUh/lKfpEHu9/+6iuF9PvOQ7CtusGcG7SSuAWEIlcDJ0 kHbkCWJdqraPIsYEVKjef9jIx3ffafPB+9Oz79YclkfcpiI2KE6JtuvzVZUW98Vwc2W6 4MRDESWsgapYPUc994UxjIuinlZZH1dOX5UT4g0aGiH3G/k5wMzaXXii/dsH8uE71CJb h7Gw== X-Gm-Message-State: AOJu0YypRSrKthn4hYx7bArZUSTxTIE2JrCynQHaSsE+HTsn1wqCjl4P ZDiQVEsOBFKSOk9ulDmRvRakxwBcTDWqAJLrhMSwu5eQY5xX6VJGBqeNlV/I0pDk40vYJZ4k8Kl A X-Google-Smtp-Source: AGHT+IHnGGMDC1IjMk3ouG0VfZTvx+GBSXYh67kdO6mmrh6C6utQX9+6VVl9vIOQ56LX44etMu03Fw== X-Received: by 2002:a05:690c:6705:b0:6b0:488a:5056 with SMTP id 00721157ae682-6d2765f5628mr39120267b3.22.1724949133841; Thu, 29 Aug 2024 09:32:13 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:13 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 01/13] qemuarm64-secureboot: Introduce uefi-secureboot machine feature Date: Thu, 29 Aug 2024 10:31:57 -0600 Message-ID: <20240829163209.47945-2-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:16 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6011 Signed-off-by: Javier Tia --- meta-arm/conf/machine/qemuarm64-secureboot.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf index 78a39c03..2483c4ac 100644 --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -22,3 +22,4 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" MACHINE_FEATURES += "optee-ftpm" +MACHINE_FEATURES += "uefi-secureboot" From patchwork Thu Aug 29 16:31:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48478 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14200C83F39 for ; Thu, 29 Aug 2024 16:32:26 +0000 (UTC) Received: from mail-yb1-f174.google.com (mail-yb1-f174.google.com [209.85.219.174]) by mx.groups.io with SMTP id smtpd.web11.24052.1724949135893120268 for ; Thu, 29 Aug 2024 09:32:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=bDpvdU/7; spf=pass (domain: linaro.org, ip: 209.85.219.174, mailfrom: javier.tia@linaro.org) Received: by mail-yb1-f174.google.com with SMTP id 3f1490d57ef6-e02b79c6f21so877764276.2 for ; Thu, 29 Aug 2024 09:32:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949135; x=1725553935; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xdlXt/aUr86defsx3fUhdOMBxiuCcNV4XSVv3gOErpU=; b=bDpvdU/7KCcaDFdcweu4tcNy0cuXkDYlJAsSUkLX18+ltXgaK4e1TD5wAexgob6e3t DIxcUM7kDnSCZBf0P/DlDabxA+VT8hYrlJLPJncLyZ7IOagCZq1GNYXwkNQd24U4x7M4 RDEifQzwwOG44YKucBXW+3IyOrhj52rMsd6BuPBDlO82SsxCr5+W8t+rC+iwQ1NkOWw/ z9Rd67jUcdlUZqdgr+hgRFKl1QLWJsN1KbOsR2xixYD5kAkCDi3TY10XCig2GDSo70Ve vRMxKZrKikWOZ1BR19LDWGbwKem7xmhko0wgqYedd2Bu6wcpO62m88beeRuBiyCveT5j ak/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949135; x=1725553935; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xdlXt/aUr86defsx3fUhdOMBxiuCcNV4XSVv3gOErpU=; b=jMKp03Ro6IjKFHoXCRC+i8faRFuVD3Wfyc62BZ8eOhgOui/frDo6MCfYhAVwj7cp+x m7XqtftqjT0XzxOJtJjUeSlzgL1pP5xQEf+skUPOKmDoOzGz16EGbHvHB0F0MQyUhtrw 9Y+WvlVAU3Or6fnLH/U0DrHOmeY4UtVEw6klpCpF6J12ybp8oGbXdUCPb0iLUfcpjkU3 6Sa8oO+yImig9HO4irL5kYOiynfuL5VKJ6FytAZvUQ0b4AMp47nyU50HKS2m0ebAq6EK lnrsOXzSJg5wIKy/kWxKPaSVDd0zZpYo18GiWEoJfGA77rwjGAN5spqLn4sRyeVNha1L 9Tng== X-Gm-Message-State: AOJu0Ywq2V9WhTXbYBbU+nIggN3S+ZqqtFfMWXkuqHRN+XfUNUnFjvQu rPgs6MfauisZfB1YO5uu5Cmg4xDCRvYPqtQxlidF1U+ffF/yBnPK5Q8UBsfWFWVIuaYBBlf0zOL v X-Google-Smtp-Source: AGHT+IEyCI1Hyxy3R96AlbMtSl2FIwbfAXoqvtF9fBHdr6CSzdUXQg4yq6anSCtx1Ve1eSMayvZ3yQ== X-Received: by 2002:a05:690c:6813:b0:64a:3e36:7fd1 with SMTP id 00721157ae682-6d276116bbbmr40960457b3.10.1724949134940; Thu, 29 Aug 2024 09:32:14 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:14 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 02/13] core-image-minimal: Use UEFI layout disk partitions Date: Thu, 29 Aug 2024 10:31:58 -0600 Message-ID: <20240829163209.47945-3-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6012 - Use efi-disk-no-swap.wks.in disk definition to add expected UEFI disk partitions configuration. Signed-off-by: Javier Tia --- ci/qemuarm64-secureboot.yml | 6 +++--- .../images/core-image-minimal-uefi-secureboot.inc | 1 + meta-arm/recipes-core/images/core-image-minimal.bbappend | 1 + 3 files changed, 5 insertions(+), 3 deletions(-) create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml index b26941e0..fdde1e79 100644 --- a/ci/qemuarm64-secureboot.yml +++ b/ci/qemuarm64-secureboot.yml @@ -7,10 +7,10 @@ header: machine: qemuarm64-secureboot -target: - - core-image-base - local_conf_header: optee: | IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta" TEST_SUITES:append = " optee ftpm" + +target: + - core-image-minimal diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc new file mode 100644 index 00000000..351e9030 --- /dev/null +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc @@ -0,0 +1 @@ +WKS_FILE = "efi-disk-no-swap.wks.in" diff --git a/meta-arm/recipes-core/images/core-image-minimal.bbappend b/meta-arm/recipes-core/images/core-image-minimal.bbappend new file mode 100644 index 00000000..46c00f00 --- /dev/null +++ b/meta-arm/recipes-core/images/core-image-minimal.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'core-image-minimal-uefi-secureboot.inc', '', d)} \ No newline at end of file From patchwork Thu Aug 29 16:31:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48480 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39A5EC83F3D for ; Thu, 29 Aug 2024 16:32:26 +0000 (UTC) Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) by mx.groups.io with SMTP id smtpd.web10.24029.1724949137049268232 for ; Thu, 29 Aug 2024 09:32:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=q8rF/7AW; spf=pass (domain: linaro.org, ip: 209.85.128.169, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-6d3c10af2efso155707b3.0 for ; Thu, 29 Aug 2024 09:32:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949136; x=1725553936; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=i3FMcrxoQMEjfxeuNGxbNN6+IFf/qUnBbfx9yY/tZpY=; b=q8rF/7AWfeBRlIJewvAcLgObvicK1ArCJG8Bmjj7wSLE6WdUMccjFjlQwbAxGvhiUX zvfu90nYHFciFXni4cvkSVdW7lcrhOqE9/dyHOiXMZ8e5T6UeXPu8Y9Q6vEvr4a6U4TU B0LdMjgTaCnTV2QVKKjHMh7wexUJB7RavmMjglQB3v7KLibbw86TSQ1WcNYl8TqPou8U z8ybvbP39a5ZO7Xx083yTDMMlG7MzN7jSD/zomN60HmNnBC8pU6a+5bfGCnGx81PQI/e H0U+a0COZ/thYFCQsHqoeaRGUasCEIl6egadbqQzidKxTFBWg+/C2Er9K2KQGNKmCgGq xyNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949136; x=1725553936; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=i3FMcrxoQMEjfxeuNGxbNN6+IFf/qUnBbfx9yY/tZpY=; b=Ns5VAM/Rkk/af4IENd9Ylh4h1+LkaFSJHNEQjxb+zbDrmqxySBC6/Ixl40/4111wIt MzAMPXyrIEi7sQOOKbH63lsnWx0G6ASFpWexqseVdXn3QfQ6RCyN2m8WEj1uA6knJ/ki w9V4rJkymSoqUqWF7oEAOdWI/XWtEz4w+skAgRdmmcahBdv0PTYefqn4RyP4uogA1/nC SBsu6TDVnkx6Xn/7vSKbwlEVcYYgvOUQ104d8a2IzWdk1ANARpsrBPiu2y1ByI0PCTRV zEDwFhF/5qgI7TJmK9WaR0ZGu/XUnoq0Vk2Pi0a+Z14viXIPMF9btLhD9eb/aKF3sMzv oh7A== X-Gm-Message-State: AOJu0YyMYjCVJaffQ7VMxfCSOWFd5Esot2iPLfO4X5jHIJ7TNy0wwaYd jgAoRwQh9O/RLTeyeF5yMt6xZ4AkqAcyf6245rJPSW5willMCkRt1WTQVu9SzMPX5zle48w5+Ao w X-Google-Smtp-Source: AGHT+IEPDSQMbqqd/q2h7kA+0zvUPY1mNatTfYek8790o1nKi6dcA4QE6R1raH4WcSAO8iPz2Z/HrQ== X-Received: by 2002:a05:690c:2713:b0:64a:7040:2d8a with SMTP id 00721157ae682-6d2766ef460mr29058917b3.23.1724949136078; Thu, 29 Aug 2024 09:32:16 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:15 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 03/13] layer.conf: Introduce UEFI_SB_KEYS_DIR Date: Thu, 29 Aug 2024 10:31:59 -0600 Message-ID: <20240829163209.47945-4-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6013 UEFI_SB_KEYS_DIR saves UEFI keys path. To avoid security issues, UEFI keys are not provided and they can be generated by gen_uefi_keys.sh script. Signed-off-by: Javier Tia --- meta-arm/conf/layer.conf | 2 ++ meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf index 9e9c9dbd..2854dd69 100644 --- a/meta-arm/conf/layer.conf +++ b/meta-arm/conf/layer.conf @@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet" addpylib ${LAYERDIR}/lib oeqa WARN_QA:append:layer-meta-arm = " patch-status" + +UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys" \ No newline at end of file diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh new file mode 100755 index 00000000..fc7f25c9 --- /dev/null +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh @@ -0,0 +1,35 @@ +#/bin/sh + +set -eux + +#Create PK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth + +#Create KEK +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth + +#Create DB +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth + +#Create DBX +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650 +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl +sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth + +#Sign image +#sbsign --key db.key --cert db.crt Image + +#Digest image +#hash-to-efi-sig-list Image db_Image.hash +#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth + +#Empty cert for testing +touch noPK.esl +sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth + From patchwork Thu Aug 29 16:32:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48485 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58F07C87FC5 for ; Thu, 29 Aug 2024 16:32:26 +0000 (UTC) Received: from mail-yw1-f171.google.com (mail-yw1-f171.google.com [209.85.128.171]) by mx.groups.io with SMTP id smtpd.web10.24034.1724949138177010079 for ; Thu, 29 Aug 2024 09:32:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=kM7PGYTz; spf=pass (domain: linaro.org, ip: 209.85.128.171, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f171.google.com with SMTP id 00721157ae682-6ca1d6f549eso10422567b3.0 for ; Thu, 29 Aug 2024 09:32:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949137; x=1725553937; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SLHu6PRlZnCzW/rU1UEj78mshvoxk7WjoojsTwAZ3/I=; b=kM7PGYTzQvs4TBzLjjIj5KmZAHXCajYbKPsJ7MvxbmqMLELhsOogSFcv5Nix2G6ku7 CqFW57cgAZMs9m7BG6AmYOAkMleVAgzRXlgMrcqm25C3YBeqvZkmXYmHnjiaa3DWMf6s NmQ8+JoUqokz0fqiNk26zZQyanFv2G9c76AbEjwolXtmviwsjP6gVDv+10WZ9cPGa3V1 Rpe6a4MSC5Bx6aaNbXHEZqMa3U8ZQw9hzGNS+aantIYDQEYjqU2dvb36JHphKhiQwqzs Y3JOXYDGHJL2GyVimw9fM7Ie4SgLe9Gqv9wvdfmmm4R8E40QbKNs9T+gyRMizWdCAQvB h0dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949137; x=1725553937; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SLHu6PRlZnCzW/rU1UEj78mshvoxk7WjoojsTwAZ3/I=; b=A0tCpNuFG/OPoudAn5Qv0c/I+S2+G0zBDypDgH+ZJ1rkC3FIDpFtWmRA/f1nXjnMfH 8yYU3EDlqnUXzrJov0QqZJRBO1hDTsN3fGltAIR2tmBlRSRo7WtlvKV5qwzp5mSBoIXn iGXGg582YvqJJ9QwSRaPEZ9E3oT606SR6i90Kglmw7EDe0O7SzG2Ywhtv48EMYqaeFlr mFuxtqaq34VRt3+hqT3tZ77jU17I7P8Cok8kOvciZS3F5lk8AGyL6oYYx/6jQ5NSQkru EAG8Uo2ex0GxJOrKnCZew8ijYCV2evHvNZ6RUb5BRoAmLyoM6lt31B7hxaS/+y2wBBZ4 FvEg== X-Gm-Message-State: AOJu0YwuVe0PEb4wS7uWXU5e3OixI6NMs/M9Lajbzt/X4hhEuNWqH60Q 12Veej1QBRVLGJ37i28q2YSba0iFdCbvDdGfjsMwTdPE8KQhbs06e5UcHwgldNTBxEwv4AC4mrm 0 X-Google-Smtp-Source: AGHT+IGHHlpKe+YxWjy+x9iHpDucYnPKV6JQk9JBTQMFQAz3J6m7o71szSa4nBKvxIuSgqIjXFQvNw== X-Received: by 2002:a05:690c:2c02:b0:6af:8662:ff43 with SMTP id 00721157ae682-6d278435917mr29381227b3.37.1724949137183; Thu, 29 Aug 2024 09:32:17 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:16 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 04/13] uefi-sb-keys.bbclass: Add class to validate UEFI keys Date: Thu, 29 Aug 2024 10:32:00 -0600 Message-ID: <20240829163209.47945-5-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6014 Without UEFI keys, signing will fail and the OS will not boot. Signed-off-by: Javier Tia --- meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass new file mode 100644 index 00000000..e800b4c6 --- /dev/null +++ b/meta-arm/classes/uefi-sb-keys.bbclass @@ -0,0 +1,24 @@ +# Validate UEFI keys +python __anonymous () { + if d.getVar("UEFI_SB_KEYS_DIR", False) is None: + raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.") + + # keys used for UEFI secure boot + uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR") + + keys_to_check = [ + uefi_sb_keys + "/PK.esl", + uefi_sb_keys + "/KEK.esl", + uefi_sb_keys + "/dbx.esl", + uefi_sb_keys + "/db.esl", + uefi_sb_keys + "/db.key", + uefi_sb_keys + "/db.crt", + ] + + missing_keys = [f for f in keys_to_check if not os.path.exists(f)] + + if missing_keys: + raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), ) + + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys) + +} From patchwork Thu Aug 29 16:32:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48483 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 658F6C87FC9 for ; Thu, 29 Aug 2024 16:32:26 +0000 (UTC) Received: from mail-yw1-f177.google.com (mail-yw1-f177.google.com [209.85.128.177]) by mx.groups.io with SMTP id smtpd.web11.24058.1724949139433559891 for ; Thu, 29 Aug 2024 09:32:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=XElUKw2T; spf=pass (domain: linaro.org, ip: 209.85.128.177, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f177.google.com with SMTP id 00721157ae682-6c91f9fb0d7so8885437b3.3 for ; Thu, 29 Aug 2024 09:32:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949138; x=1725553938; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jKeLT5wECjxCPh0q9TVfT28Dr9BXXolYW1ml7VAYpJM=; b=XElUKw2Tj05CA9A3RQaJF/QXl7hU1zD1bu3b+2GFVVs0TNj9HlMexRHfj6y4wGYg05 CxFflvCvNnMxscDzFsK2u8pFvQ6c6roPXQCSdeNAShgMeMUOlLCN4PSlyzgdmF0mMtg3 rD0LraD+O/9090ZUc/g9/SgjkaeghbagNQ/PkZwEHTkyqrITOJ3E4QQboFDBjXEnN6Wo sBa9DbGftz3jn5lihnLx99XF7LF4F8JQj33zwrA31lStdFOGFIRfnqauTydjcF9PEIzh wLwJGqry8bnkiT0mjgssuDU2gk/Ov3gzI9+Y7KPn+tevEWDP/AkSKdyrR/Onjuycn57b HI9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949138; x=1725553938; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jKeLT5wECjxCPh0q9TVfT28Dr9BXXolYW1ml7VAYpJM=; b=KIhotXInr1stYYCd+WLFN+WRZSLwhKFvpCcuOEr0TnVn5MxMNPr9eFhgBskAOCQh7E slNx9lHAo8XcdSQLIUAHUn/wgfb7x5qWzDzCff1kPo0L5dSh/cTFxpmifUrzQtA0R9HR 1Ydem9VJq7bXZ2bDXlcdlh42vDOdbdZeUm9BDUpM/v0L/6BYN7x3WvY6uoOBOhc64roO RfPeObELk3LFCXGUOs8oZ08Pyko6kSO3/c7MsMHfydcqoltykmRNuOgkBu2LG2jHaKc+ m4mBGNqIPWo/LVKkb3eSWYlxUHklBaaeSEZDc17jbcYeCBQWJnBYdOPLmouFAyv57cOB 201A== X-Gm-Message-State: AOJu0Ywp5zIaE2yGwjXMHMsaOATUgtZsy7Dh+3AoV9eT5Th/54Q704cy +pcnO690f83lB1Og5Aiu1wpD3zWwwrWAOJZzgYBrc8BPdn3llM55gAXX4ujV8IITDQwYGTx3o+P c X-Google-Smtp-Source: AGHT+IHZUHztSHKQb3MGYaKoZxvvJ4ErIVfLcNx/T2UTa3E4yU6gReXQmk8H5gnrk6+YKixMgWO9Jg== X-Received: by 2002:a05:690c:d83:b0:61a:e4ef:51d with SMTP id 00721157ae682-6d275e337dbmr38820307b3.9.1724949138413; Thu, 29 Aug 2024 09:32:18 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:17 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 05/13] sbsign.bbclass: Add class to sign binaries Date: Thu, 29 Aug 2024 10:32:01 -0600 Message-ID: <20240829163209.47945-6-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6015 A lot of recipes are using these same steps to sign binaries for UEFI secure boot. Authored-by: Mikko Rapeli Signed-off-by: Javier Tia --- meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 meta-arm/classes/sbsign.bbclass diff --git a/meta-arm/classes/sbsign.bbclass b/meta-arm/classes/sbsign.bbclass new file mode 100644 index 00000000..a99c0218 --- /dev/null +++ b/meta-arm/classes/sbsign.bbclass @@ -0,0 +1,39 @@ +# Sign binaries for UEFI secure boot +# Usage in recipes: +# +# Set key and cert files in recipe or machine/distro config: +# SBSIGN_KEY = "db.key" +# SBSIGN_CERT = "db.crt" +# +# Set binary to sign per recipe: +# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign" +# +# Then call do_sbsign() in correct stage of the build +# do_compile:append() { +# do_sbsign +# } + +DEPENDS += "sbsigntool-native" + +SBSIGN_KEY ?= "db.key" +SBSIGN_CERT ?= "db.crt" +SBSIGN_TARGET_BINARY ?= "binary_to_sign" + +# makes sure changed keys trigger rebuild/re-signing +SRC_URI += "\ + file://${SBSIGN_KEY} \ + file://${SBSIGN_CERT} \ +" + +# not adding as task since recipes may need to sign binaries at different +# stages. Instead they can call this function when needed by calling this function +do_sbsign() { + bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}" + ${STAGING_BINDIR_NATIVE}/sbsign \ + --key "${UNPACKDIR}/${SBSIGN_KEY}" \ + --cert "${UNPACKDIR}/${SBSIGN_CERT}" \ + --output "${SBSIGN_TARGET_BINARY}.signed" \ + "${SBSIGN_TARGET_BINARY}" + cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned" + cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}" +} \ No newline at end of file From patchwork Thu Aug 29 16:32:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48479 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AF25C83F3C for ; Thu, 29 Aug 2024 16:32:26 +0000 (UTC) Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) by mx.groups.io with SMTP id smtpd.web11.24060.1724949140781561357 for ; Thu, 29 Aug 2024 09:32:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=S06zho2a; spf=pass (domain: linaro.org, ip: 209.85.128.179, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-68518bc1407so10860747b3.2 for ; Thu, 29 Aug 2024 09:32:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949139; x=1725553939; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TeS4H6a6NS9M4W+N5Tojf3l1adclhIcOrpM4ziZDDtQ=; b=S06zho2aLjZrmgADdj7wXDMJGyQpNzkhN+xj2P+D2crhPj2MfaSVrlkH276BW9EmG8 3Ksr4eaL5otJ0RUIAokygsKQvVzOEutFLH+584P7OYQB1sXgqQ7q3MXHQC2JBfeEjaOs 8FXFzlsJlh8EaOtovl/Pnsg3Rz1IBgn6WURtZbOz80sesjvyD3DD9tEFDlpOKxICEhqY WqY4Jqb9Op7ytBPArbgvTH4CPBw8FFgXmftj96gdSNfN5WuY+0MnPnsUMMPLtji+1gqt VIlBdGP+uJWrGgtc3HA6kamCzrW+Vds6fW999MRXC3UTJC/3sFwYll9uJ6cviTiBvQn4 xImw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949139; x=1725553939; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TeS4H6a6NS9M4W+N5Tojf3l1adclhIcOrpM4ziZDDtQ=; b=uy87T8uMJNLU7pELOaMlxohbe/QL8tl1t5OHmTIIHmUaIxgQE5hnpIkSgrWyP8zcV2 DwpOO3LsdYlsUE39Ny9OF6lYUyf393bB3nwpbZtC1eNMpROHmRoA8b0BW9Q2j1WaUpLC jfDC2647Aoxnex2hEWHxhH/fVbF5BIChFGa1+HtK6Yd+AIjKxaHykj1gCv0AyE0xQCWT +qq+iDMFhrwiuazOfgzOSetxlbxaGYcc2p7S0YLmFnwNYGF32CzmjkKvvlC3MU+MFc9h iEEo5YLcuF4/dhZKujjE39AMIYVY0yr1BM8wqMv6Ecy2zY81+jBjzJKbyIoSzihv0RDF iR2w== X-Gm-Message-State: AOJu0Yxt+KBNzPUWgymhcoVyYg/eTtZcpuY1S3eNJbRT5r2AQXl1OI4I OdXU5O+3zk8QhG1XJva0LA+b4lKrL/y9WEnLXTQ+HBO6zuBKwDdpzr8pSlV4gGOOd5I2SvQuhG3 R X-Google-Smtp-Source: AGHT+IGxY0E0Ub8B3wC25dZVODNbqFtTezzxJ4XDVgiy17r5QitEQ710StSFBPR/1aP2exI9MSpxRg== X-Received: by 2002:a05:690c:3141:b0:64a:7040:2d8e with SMTP id 00721157ae682-6d2777774c8mr29816017b3.33.1724949139560; Thu, 29 Aug 2024 09:32:19 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:19 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 06/13] core-image-minimal: Inherit uefi-sb-keys Date: Thu, 29 Aug 2024 10:32:02 -0600 Message-ID: <20240829163209.47945-7-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6016 Signed-off-by: Javier Tia --- .../recipes-core/images/core-image-minimal-uefi-secureboot.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc index 351e9030..2232d3b3 100644 --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc @@ -1 +1,3 @@ +inherit uefi-sb-keys + WKS_FILE = "efi-disk-no-swap.wks.in" From patchwork Thu Aug 29 16:32:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48481 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2ED27C83F3A for ; Thu, 29 Aug 2024 16:32:26 +0000 (UTC) Received: from mail-yb1-f180.google.com (mail-yb1-f180.google.com [209.85.219.180]) by mx.groups.io with SMTP id smtpd.web10.24039.1724949141613833429 for ; Thu, 29 Aug 2024 09:32:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=OrueNG8p; spf=pass (domain: linaro.org, ip: 209.85.219.180, mailfrom: javier.tia@linaro.org) Received: by mail-yb1-f180.google.com with SMTP id 3f1490d57ef6-e1205de17aaso909465276.2 for ; Thu, 29 Aug 2024 09:32:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949140; x=1725553940; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Y6cnGubIUPfqUNMZsTLbuxSnui3vnRbhrJbBfO5KvAM=; b=OrueNG8pMXhtS/GTtr/Ss2NjuzqJykaiQP+yUrz93DXP1zWUV2GB1RkXS51JRo1Xb3 GRkyAUykUdqlxi2N2azZug15w137Tkkm5DsDUCTV88kW9tJvjSg/06D2ILqvUTLHDgxx IyuoldTf9J5dbqqaT2IRSqpbLE71N28SsYfm485S18wy/qpXKQQ/bPD5GLNBV2xRmkG2 JQQtkzNrr/hJL2QBSiJwVgN7Vj1sWkMR4OqI/tYIJo4Dp3e9ct9TS9n8koN6HPAigZ6P Rc+0kY1VKNQpakfLSQDWU4lkSkDChn5mjqK4UL9PuIP3pkVO57xfyrxGmJr2bqbBUdDB IbeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949140; x=1725553940; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Y6cnGubIUPfqUNMZsTLbuxSnui3vnRbhrJbBfO5KvAM=; b=JR9P5tWeyn/n+N/TO6/cw0tP3XVtAC0hcq4gvvh3K3TFnliwZzHepBIVKPypse9643 9whx1YoxPF4ZdaDralnGi8bF1aZXsD7s/B76bANYBKVYhoFPm02+HuKTBEMT8Xc62PhF LHoF5bFPWC2DU1kGd5IMR2P30lhZnBlWp1TAk95CDEj8nHDJwbMaGcI0+mdXB9Vkx8Wi D+t3dIr8YxMylxikJOE1Jb+GGbaBv/U6S4sVK8XYizmM8N69RmlmEvvC7NVM8/jNg9Nh WaDS9j/ZdEOebYQg3JCe0tzzxv40Qes8Yj7qQ1WjRB7oeGSgaONWc6+mg/uv3N3eGMz2 3DeQ== X-Gm-Message-State: AOJu0Yxj1xH+K97K2cCAgEjh+qL9a4Qh/wtkEHlEU87j/vCtjBtrZNEG 659hbI9HNt1jiVNFOq5L1J1IkO7Jtgq8gu24TWltMl6HJ/VBn1qZ0IyvCfblCE8dCL7QAuYp/6O p X-Google-Smtp-Source: AGHT+IEqaHSIIZ0+d7mc+UyBKTd7rAXjkYzD5pHerhc5+0jO610Xyh2pRmqh/WUw4JbxFL227/DUbw== X-Received: by 2002:a05:690c:6509:b0:6b2:1b65:4c0d with SMTP id 00721157ae682-6d276404956mr38355997b3.10.1724949140660; Thu, 29 Aug 2024 09:32:20 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:20 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 07/13] meta-arm: Introduce gen-uefi-sb-keys.bb recipe Date: Thu, 29 Aug 2024 10:32:03 -0600 Message-ID: <20240829163209.47945-8-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6017 Generate a new set of keys on build time. It avoids to use same keys which could generate a security issue. Signed-off-by: Javier Tia --- meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++ meta-arm/uefi-sb-keys/.gitignore | 4 ++ meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 56 +++++++++---------- 3 files changed, 57 insertions(+), 29 deletions(-) create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb create mode 100644 meta-arm/uefi-sb-keys/.gitignore diff --git a/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb new file mode 100644 index 00000000..a4ae6d87 --- /dev/null +++ b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: MIT + +SUMMARY = "Generate UEFI keys for secure boot" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +DEPENDS += "bash-native" +DEPENDS += "coreutils-native" +DEPENDS += "efitools-native" +DEPENDS += "openssl-native" + +SRC_URI = "file://${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh" + +UNPACKDIR = "${S}" + +do_fetch[noexec] = "1" +do_patch[noexec] = "1" +do_compile[noexec] = "1" +do_configure[noexec] = "1" + +do_install() { + ${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh ${UEFI_SB_KEYS_DIR} +} + +FILES:${PN} = "${UEFI_SB_KEYS_DIR}/*.key" +FILES:${PN} += "${UEFI_SB_KEYS_DIR}/*.crt" diff --git a/meta-arm/uefi-sb-keys/.gitignore b/meta-arm/uefi-sb-keys/.gitignore new file mode 100644 index 00000000..f8669919 --- /dev/null +++ b/meta-arm/uefi-sb-keys/.gitignore @@ -0,0 +1,4 @@ +*.auth +*.crt +*.esl +*.key \ No newline at end of file diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh index fc7f25c9..21e65c72 100755 --- a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh @@ -1,35 +1,33 @@ -#/bin/sh +#!/bin/bash +# +# SPDX-License-Identifier: MIT +# set -eux -#Create PK -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl -sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth +KEYS_PATH=${1:-./} +SUBJECT="/CN=Linaro_LEDGE/" +GUID="11111111-2222-3333-4444-123456789abc" -#Create KEK -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl -sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth +openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \ + -keyout "${KEYS_PATH}"/PK.key -out "${KEYS_PATH}"/PK.crt \ + -nodes -days 3650 +cert-to-efi-sig-list -g ${GUID} \ + "${KEYS_PATH}"/PK.crt "${KEYS_PATH}"/PK.esl +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/PK "${KEYS_PATH}"/PK.esl "${KEYS_PATH}"/PK.auth -#Create DB -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl -sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth - -#Create DBX -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650 -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl -sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth - -#Sign image -#sbsign --key db.key --cert db.crt Image - -#Digest image -#hash-to-efi-sig-list Image db_Image.hash -#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth - -#Empty cert for testing -touch noPK.esl -sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth +for key in KEK db dbx; do + openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \ + -keyout "${KEYS_PATH}"/${key}.key -out "${KEYS_PATH}"/${key}.crt \ + -nodes -days 3650 + cert-to-efi-sig-list -g ${GUID} \ + "${KEYS_PATH}"/${key}.crt "${KEYS_PATH}"/${key}.esl + sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/${key} "${KEYS_PATH}"/${key}.esl "${KEYS_PATH}"/${key}.auth +done +# Empty cert for testing +touch "${KEYS_PATH}"/noPK.esl +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/PK "${KEYS_PATH}"/noPK.esl "${KEYS_PATH}"/noPK.auth From patchwork Thu Aug 29 16:32:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48484 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49FB7C87FC3 for ; Thu, 29 Aug 2024 16:32:26 +0000 (UTC) Received: from mail-yw1-f173.google.com (mail-yw1-f173.google.com [209.85.128.173]) by mx.groups.io with SMTP id smtpd.web10.24043.1724949142673106422 for ; Thu, 29 Aug 2024 09:32:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=qcvEtgzb; spf=pass (domain: linaro.org, ip: 209.85.128.173, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f173.google.com with SMTP id 00721157ae682-6c130ffa0adso8991607b3.3 for ; Thu, 29 Aug 2024 09:32:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949142; x=1725553942; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4i8i4tDl/w+2Hz1m76fbFHZdoBoOcID//NRfTskNKvw=; b=qcvEtgzb/OxOn2937UlSx1bJihcMoTOGOWatHfytJRP4EVBV/5ceemBbUrX7yrZgoz rsHOSzXzLOiw+KAsoDMipgL+lxjBUZie2zzWtdsxUlguLG9N8UTW/VHGRsdhi8i3QSMg +4Wqgv6Uh8NUG4i7DhD8JxFCC8j7i3Hy3lF0p3Gu1oGhyISPa93xsw58ycqxEVDY2C/w 2gDQCl3yCFdYzDj1rgdnCTKM2oLUEYwayuHzOg8gdAbMf6wbQqtmPcbyy/MrF0YdsZQ4 twY/k71y0WcJ+fMrYRJYVSqWTmt8d2rXij+ExSqh6jSVnV184VWu6lzhAvIhc0bVYVm4 E0Dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949142; x=1725553942; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4i8i4tDl/w+2Hz1m76fbFHZdoBoOcID//NRfTskNKvw=; b=fug/aw3XeZlyLxWRZiFVOBhMXg8SMlcjz5DFILJhAI5wnGrVgr4wam9XTw0G7APqoL rw+teRPGblmM8wGne8u6Xqfzs3pUzdSh8075Yxei7hWD6t/LV9vCBVSFO42RRaK3BGy9 Z2QRpPShrNX0bYApm7VEw4LPC/evuQat1DfPeVqROl2P+xpz1qoj+jh1g0SB8MEJQ7QF Y7gTPfs/DLiPttJrqQW/prT/EBhqCkvG63GSUe5Z+wTnthhQMkAJSZgcgTw4JULbNM+K TM/BQYlzXXbaowgdJuLT2BM2iTHYbVP2KKEDV9YMQrAYF38o7FuI6l2V2AGY3oIBixPo +RQw== X-Gm-Message-State: AOJu0YxEV42tu5NqI8LLMuVcdzpCryAD4ZCezuZZwes+AxP+8aBatucH BQ9tU5wgNdP1SnNmXw3dBlFT0RdCfjZGhEEz26+L1qhD+fmUMrESh2VB42TqtsQ4f5r+OWoBbQ4 Q X-Google-Smtp-Source: AGHT+IF6PhjOiWfQd7E9Qfb0BXuPfNiHpDKjbs71AVPhF6KnDdiKDYiddAl5ASWJ5LdoSM9HlHcTSQ== X-Received: by 2002:a05:690c:6206:b0:6b2:1b65:4c05 with SMTP id 00721157ae682-6d2764fa003mr40222297b3.17.1724949141740; Thu, 29 Aug 2024 09:32:21 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:21 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 08/13] u-boot: Setup UEFI and Secure Boot Date: Thu, 29 Aug 2024 10:32:04 -0600 Message-ID: <20240829163209.47945-9-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6018 Add U-Boot minimal UEFI definitions. Embedded UEFI variables with the keys previously generated. It's to enable UEFI Secure Boot and verify the authenticity of the firmware and operating system. When U-Boot is built with UEFI support, it includes a set of efivars that are used to store the Secure Boot variables. These efivars are embedded in the U-Boot binary and are stored in the flash memory of the system. Signed-off-by: Javier Tia --- .../u-boot/u-boot-qemuarm64-secureboot.inc | 18 ++++++++++++++++++ .../u-boot/u-boot/uefi-secureboot.cfg | 10 ++++++++++ .../recipes-bsp/u-boot/u-boot_%.bbappend | 2 +- 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc new file mode 100644 index 00000000..ffad08e4 --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc @@ -0,0 +1,18 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://uefi-secureboot.cfg" + +UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm" +UBOOT_ENV_NAME = "qemu-arm.env" + +DEPENDS += 'python3-pyopenssl-native' + +do_compile:prepend() { + export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 + + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk -d "${UEFI_SB_KEYS_DIR}"/PK.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db -d "${UEFI_SB_KEYS_DIR}"/db.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file + "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var +} diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg new file mode 100644 index 00000000..d2edb5fb --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg @@ -0,0 +1,10 @@ +CONFIG_CMD_BOOTMENU=y +CONFIG_USE_BOOTCOMMAND=y +CONFIG_BOOTCOMMAND="bootmenu" +CONFIG_USE_PREBOOT=y +CONFIG_EFI_VAR_BUF_SIZE=65536 +CONFIG_FIT_SIGNATURE=y +CONFIG_EFI_SECURE_BOOT=y +CONFIG_EFI_VARIABLES_PRESEED=y +CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" +CONFIG_PREBOOT_DEFINED=y \ No newline at end of file diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend index 11f332ad..ee815b6a 100644 --- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend @@ -5,6 +5,6 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc" MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc" MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc" MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc" +MACHINE_U-BOOT_REQUIRE += "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}" require ${MACHINE_U-BOOT_REQUIRE} - From patchwork Thu Aug 29 16:32:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48477 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 13FADC83F38 for ; Thu, 29 Aug 2024 16:32:26 +0000 (UTC) Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) by mx.groups.io with SMTP id smtpd.web10.24053.1724949143857707270 for ; Thu, 29 Aug 2024 09:32:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=sZeAzMch; spf=pass (domain: linaro.org, ip: 209.85.128.179, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-6d0e7dfab60so10461787b3.3 for ; Thu, 29 Aug 2024 09:32:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949143; x=1725553943; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PHIEeal/qm8neCiYLbjWIFzTsAvAxeXL3BZdH5PBRSg=; b=sZeAzMchRY0wihqGNaGQvgXleOXq5Rl4qcCVw+JDCnR2LUGImZFWPHrWPyL/Uq24EG XPQQ11ImnqYiIydYEoFCdArLJ3XwDncd05uwIlDMS/8aYJ3jmy+/+UWjZEYOe3aBYJYi t3405q+bfIbYfx6lOeAb90YT3oVyT6N2MWUJc/iSrjukJANMwuGQAI69+jDBn2nkrPlf lXPMFXn1TxJcWra50fq1O3g+VB/kcaeJJBEKznOddrwgECt2P/iMzccX+Xz4bZD9J3Tw C1oeAbxz49BrDsbF/h7WAi612ZQBT2zAMS8dPLice4lpgAakppl/rlD36TUzo5OI0TMb K+7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949143; x=1725553943; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PHIEeal/qm8neCiYLbjWIFzTsAvAxeXL3BZdH5PBRSg=; b=slUbImzmafEFXPoGE1qa2+LOaUiWi+OkqUD+yg+39FAIo/Bbm1w10zDBp8DOVCDf1y +xPW50Mf6qrnel1rMlE6ZtK/abs6S1bLoerG6h2E9ML2Vac25zlapvRlOqFDhOVWM/Rn kQWkSAITAvIDtzpdsvxnfY1RuOyl8ShVpyxNod83tD7GZF78lRIuy6e0Pk1wc2ZsmPLK L9ur1cXpQgoZ9/5ya+3xiPAKcwc0dlKPmkUFP8vVvW3hRJSIcgT3IBuBf6da1UHZDcxm CGR8Xj6bVh8W35/OdFbhJinEBVaL/7mIQ+CozsiN9QO+eCvDxhFotYVB1YfJD5AtDEGZ PJ4w== X-Gm-Message-State: AOJu0Yy+m6NwDCeDwv+jZpb7hcbVvTMs/v8iwvrfcu0ADopMiUa5N+mF f7Vv7X5UesvV3REUBhnkfPeq+p1d2z2e1uwknqa5GjbGOEpUJ5SyyqjKIk26KnVfWa5+l3H6bPt w X-Google-Smtp-Source: AGHT+IH3HM5OvJqktGfTxX1Ic1R92koHfGJHgIGYWvlIPiyNKcFxVy05XG+TXPXm5xB4C2ZyduHF8w== X-Received: by 2002:a05:690c:d85:b0:665:54fa:5abf with SMTP id 00721157ae682-6d27595e2f3mr38156687b3.2.1724949142831; Thu, 29 Aug 2024 09:32:22 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:22 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 09/13] qemuarm64-secureboot: Add meta-secure-core layer as dependency Date: Thu, 29 Aug 2024 10:32:05 -0600 Message-ID: <20240829163209.47945-10-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6019 meta-secure-core is required because of sbsigntool. Signed-off-by: Javier Tia --- ci/qemuarm64-secureboot.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml index fdde1e79..03281a08 100644 --- a/ci/qemuarm64-secureboot.yml +++ b/ci/qemuarm64-secureboot.yml @@ -4,13 +4,15 @@ header: version: 14 includes: - ci/base.yml - -machine: qemuarm64-secureboot + - ci/meta-openembedded.yml + - ci/meta-secure-core.yml local_conf_header: optee: | IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta" TEST_SUITES:append = " optee ftpm" +machine: qemuarm64-secureboot + target: - core-image-minimal From patchwork Thu Aug 29 16:32:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48482 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54AECC87FC8 for ; Thu, 29 Aug 2024 16:32:26 +0000 (UTC) Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) by mx.groups.io with SMTP id smtpd.web11.24077.1724949145169787445 for ; Thu, 29 Aug 2024 09:32:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=ezgfvhxQ; spf=pass (domain: linaro.org, ip: 209.85.128.182, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-6b47ff8a59aso8107877b3.2 for ; Thu, 29 Aug 2024 09:32:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949144; x=1725553944; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rkm13HMFP9FZqmdlE0W6Vw5KdIWOyYYCxFLq8AqBJLI=; b=ezgfvhxQ4WORxBlXLdOimaHzujDgyGQ5xSdUjkZnvB54hvrsnzrcqMDgPDotYvQTAn PBAmDWd/NCYK9MMPfnrkueuh2OqsO0WWJUT3zVIpISBo4eGOGEkO5ieRRmJCa6q8uZIS gkSrq/ikWY41IGq7w9a/9CIsv52v0r1plnvOmMe2JnG0aoJ26dEaFtvyZPaCiX+1gyKQ 8qvE6YqbPf4yPZu9HZi1RiEMFOvC6OZOcbmZ37yphK7ix1BKOsN9zWC4omwRGsi/K64A 2uTTPXbup+xE7EiRPcPnkSvpB5zSUODjaT7DcKYpPMDMT/9oQDEHq6C8lxNgFUp7Zj/T /YIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949144; x=1725553944; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rkm13HMFP9FZqmdlE0W6Vw5KdIWOyYYCxFLq8AqBJLI=; b=qwtgzIrvFTh8pkzuga6g/ExuLdW7Ubnyi3CRO7cHQPhp5CtbI9KSpur3dmStEQ9TmU mVNXf9OjzRFVf7jUKYR6MKZMt1OyUhwBFDfFSonEgV8H5/Oj5VLF5YDaJYstCQmzdDQW HiEeTE/5OGI/Pxzj3UyBwO+Y0cnJA5IR40wtVUFKulExXQSwnawwdh4gga7nEGdeDsnd 1GHBCFeX11gP613AbRNeT30mrwUMxKSlsGGOnofgSks1tV9iVhFUzjX/F2em0DrtqijP 4IsAY7f7pqaNevFnBd1g6aFWUCnKS0c7yuovDJiceIPHg5eViaI9TGQSz7RQ5+CViLQl 5M1A== X-Gm-Message-State: AOJu0YxXJ00+3vvPKADA/kVFJu45Hht9X+ZJaJLczZwl2vMG+GmW90kl GD7M9BZnldFI1zh3+8SJBpwkdLlAEklVR2NF3PJgXZyWyRi0ulwBfKgh0n2pRqsRR17KHRTurjF K X-Google-Smtp-Source: AGHT+IHWl8i6H0FO4L03vjlsd8PoJqq2Q7g8KPtfHc70nRtlfbRH8usNtD9bww6owzExpSpe0xPORg== X-Received: by 2002:a05:690c:e1d:b0:62f:9e2d:3e5d with SMTP id 00721157ae682-6d277f51ed8mr41938227b3.43.1724949144108; Thu, 29 Aug 2024 09:32:24 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:23 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 10/13] linux-yocto: Setup UEFI and sign kernel image Date: Thu, 29 Aug 2024 10:32:06 -0600 Message-ID: <20240829163209.47945-11-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:26 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6020 efivarfs kernel module is required to access EFI vars. Signed-off-by: Javier Tia --- .../core-image-minimal-uefi-secureboot.inc | 8 ++++++++ .../linux/linux-yocto%.bbappend | 2 ++ .../linux/linux-yocto-uefi-secureboot.inc | 19 +++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc index 2232d3b3..06046f6e 100644 --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc @@ -1,3 +1,11 @@ inherit uefi-sb-keys WKS_FILE = "efi-disk-no-swap.wks.in" + +# Detected by passing kernel parameter +QB_KERNEL_ROOT = "" + +# kernel is in the image, should not be loaded separately +QB_DEFAULT_KERNEL = "none" + +KERNEL_IMAGETYPE = "Image" diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend index a287d0e1..29c21355 100644 --- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend +++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend @@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \ FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}" require ${FFA_TRANSPORT_INCLUDE} + +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)} \ No newline at end of file diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc new file mode 100644 index 00000000..cb62fdee --- /dev/null +++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc @@ -0,0 +1,19 @@ +KERNEL_FEATURES += "cfg/efi-ext.scc" + +DEPENDS += 'gen-uefi-sb-keys' + +inherit sbsign + +SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key" +SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt" + +# shell variable set inside do_compile task +SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE" + +do_compile:append() { + KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit) + do_sbsign +} + +RRECOMMENDS:${PN} += "kernel-module-efivarfs" +RRECOMMENDS:${PN} += "kernel-module-efivars" From patchwork Thu Aug 29 16:32:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48486 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 580ADC83F3C for ; Thu, 29 Aug 2024 16:32:36 +0000 (UTC) Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) by mx.groups.io with SMTP id smtpd.web10.24058.1724949146315694104 for ; Thu, 29 Aug 2024 09:32:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=tVeZz+Sm; spf=pass (domain: linaro.org, ip: 209.85.128.179, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-690ad83d4d7so7733147b3.3 for ; Thu, 29 Aug 2024 09:32:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949145; x=1725553945; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/4uqiqGNFeYK26IJZeFXiRd548q0q3xwHKI1ITF66iY=; b=tVeZz+SmaspNmjoTfN9xrANmxXJkOJFgUXZdKbEOczpCD/qnPCHdZE1IRx6mvi2ucD /iFYLd2i8Fo/QYRpk8zmXvMJz8I+n/i1RJB+eZe/txJYarYaPIbqT4R1LkufLJ6qvtUd ihhtrsZu2Po3u1De3MoP2uIKSXVzVjhu0CASiXvvoB9wBAgphxYl/8NRjKWl1+UH2aGW kGqf161iNuyo63ZeWjgx73YxahS7AZ4AP28ebK4r9VdwCYGI6hk+eB0xyz0vlPsZ0U3w XlAr/XL83LdBqA9aR1sqhpc2jPvqV+TYC5TQGKdpd9Sioma3zRzQQmwTmMtcxjzraZUJ C2rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949145; x=1725553945; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/4uqiqGNFeYK26IJZeFXiRd548q0q3xwHKI1ITF66iY=; b=NissYz9Bl1XSfeE9cdsi1UjNF6+ubZGLS13WcVMqEEti3TZuW4IztuJ5fqKZu2DHhR PXLcqDljEk9R70wVDBrtvSm/NFJGXakxhWSUxDviAuAw6rCezw7+MmDqhXRw9bgk5zPQ R/SmWv6gsf5GrftJYt4U041cTmzMijC5/bVu0eVF4W679OBDFQdob+kz7ii0EG22sOXW hRZySTgGmgBbw2/dtRychxQ08aMZxLE7qPBs/slZEhWGFHXJIGungX6ZolcPUYu9PUdx GXk7nL2kKMs0bt7MlW9X+83XymE1IUAXNKIh+G0wkawX4ji936oFAje9O7I9vv6flC4G kFmQ== X-Gm-Message-State: AOJu0Yz3WS0HY3EH2h8jddxqvXwQPZKSnIUlGx5heJfrL5n280j4M5nM ekq3vg3gHVPI5uKRn60kb9DksRe8NIZl3WyBCTZEYd7ZunJNPh1CwLttadgcotOlgRQgFTl/0c1 O X-Google-Smtp-Source: AGHT+IEA+KJmt9wv/q2PpOYcl/yiEgHX90uBh2vz/lu1ttMb+hQqwQVU1C2Mbkic7aw6qrc943TqVg== X-Received: by 2002:a05:690c:10d:b0:6ad:bf4f:1bc3 with SMTP id 00721157ae682-6d277c6ec56mr29729147b3.32.1724949145333; Thu, 29 Aug 2024 09:32:25 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:24 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 11/13] systemd: Add UEFI support Date: Thu, 29 Aug 2024 10:32:07 -0600 Message-ID: <20240829163209.47945-12-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:36 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6021 Signed-off-by: Javier Tia --- meta-arm/conf/machine/qemuarm64-secureboot.conf | 5 +++++ .../images/core-image-minimal-uefi-secureboot.inc | 2 ++ meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + meta-arm/recipes-core/systemd/systemd_%.bbappend | 1 + 4 files changed, 9 insertions(+) create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf index 2483c4ac..542d09a3 100644 --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -22,4 +22,9 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" MACHINE_FEATURES += "optee-ftpm" +MACHINE_FEATURES += "efi" MACHINE_FEATURES += "uefi-secureboot" + +INIT_MANAGER = "systemd" +DISTRO_FEATURES += "systemd" +DISTRO_FEATURES_NATIVE += "systemd" diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc index 06046f6e..07e315a3 100644 --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc @@ -9,3 +9,5 @@ QB_KERNEL_ROOT = "" QB_DEFAULT_KERNEL = "none" KERNEL_IMAGETYPE = "Image" + +IMAGE_INSTALL += "systemd" diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc new file mode 100644 index 00000000..5572e51a --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-efi.inc @@ -0,0 +1 @@ +PACKAGECONFIG:append = " efi" diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 00000000..660358c2 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)} From patchwork Thu Aug 29 16:32:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48487 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 580E1C83F3D for ; Thu, 29 Aug 2024 16:32:36 +0000 (UTC) Received: from mail-yb1-f169.google.com (mail-yb1-f169.google.com [209.85.219.169]) by mx.groups.io with SMTP id smtpd.web11.24079.1724949147384437068 for ; Thu, 29 Aug 2024 09:32:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=BTLwtCk1; spf=pass (domain: linaro.org, ip: 209.85.219.169, mailfrom: javier.tia@linaro.org) Received: by mail-yb1-f169.google.com with SMTP id 3f1490d57ef6-e17c1881a52so1515562276.0 for ; Thu, 29 Aug 2024 09:32:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949146; x=1725553946; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=d2+l50kfaOxxxSVJkvG1/4w38RWMsAAekjoRFZ7EGew=; b=BTLwtCk1OrsFdXY/kwcugtxlzwTGxulZeq7REanbzVKjlHpN9i9og/fOPeyYWJPFRD RfT/Rx4aDsjclEGkM2qSfnAmJfGk1rOiIbHxYzlafAzv1gcFn/QaFdytSo5Ghn435GsV fFF8R4PvpdK/grUmE4N0FFfhlhkiPtR4YuA1xtns5FGI6ZSUoffeTcnAC+4DWyRs0H1/ bCfnqZ/vnkECB6fL95rJNXPCSZkmbgQm2W7aiEbQdzc+eW9YMh+LDa+ZjPFpQMjw4Ui5 VAucjCK/57/fDZ9qxi2QW8Mp5uw8hU8jEvjSLOhI0aGRL3HHs3Po6dH+jnJ8qrbGrBMa vNfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949146; x=1725553946; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=d2+l50kfaOxxxSVJkvG1/4w38RWMsAAekjoRFZ7EGew=; b=DeeHIgBhUtI4X45f4SuqWY851acJR+FSMi0JrT1rQdM/Y8YXaG6xKLPFSpbwafJ4pV VQefBCqlraKXEPRXx12Cdyvr07dC6Baw/AR4AjUvgYnmdi8hVm/G0RCADQpe/zD2I5El oPGlRph1XEAX/BlFoZZbtX9L7KjwYk0dWx9o2EekJljVOjaiWWZEljadrqauJ0esjh6z KE0SlQubvs+xPB0thY1/6YrTbsoXLNzfHj3yMgYTy6R0tt0dqcw5PSmyMBbwhFW6jxmY 2rPbWOqg0sZ+sldvyqwygsF8TZcJpnXqPNKcmLAPKxSFyhyrCpEtDt23IKR/nxGkGTr4 pJ/Q== X-Gm-Message-State: AOJu0Ywzezz6LdZo8Ge1rLDkapohXVmlGamtXJjaRcys6HouDsQ+EoO5 v4kCVbbGZVKdDZ8BikhxGrTF/3R9G73+S/dSfddtOg0SuG/Jb+VnWRW2Op7X8j1h6B8Y5eQ09x9 W X-Google-Smtp-Source: AGHT+IGcfrGWjLskmYxhWh5hHDnRijKr82sa9x+AguEx3i2iXqhZmaGvYqUk9L/C1HHxitW4OZjGDw== X-Received: by 2002:a05:690c:6d07:b0:66b:c28b:f234 with SMTP id 00721157ae682-6d2ee80eb4amr25201167b3.21.1724949146441; Thu, 29 Aug 2024 09:32:26 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:26 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 12/13] systemd-boot: Use it as bootloader & sign UEFI image Date: Thu, 29 Aug 2024 10:32:08 -0600 Message-ID: <20240829163209.47945-13-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:36 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6022 As qemuarm64-secureboot is already using systemd as Init manager, use too systemd-boot as bootloader. It has a simpler and more intuitive configuration format compared to grub. It uses a single configuration file that is easy to understand and modify. Signed-off-by: Javier Tia --- meta-arm-bsp/wic/efi-disk-no-swap.wks.in | 2 +- meta-arm/conf/machine/qemuarm64-secureboot.conf | 2 ++ .../images/core-image-minimal-uefi-secureboot.inc | 2 +- .../systemd/systemd-boot-uefi-secureboot.inc | 12 ++++++++++++ .../recipes-core/systemd/systemd-boot_%.bbappend | 1 + 5 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend diff --git a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in index 6ae7ad9d..6d77d3aa 100644 --- a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in +++ b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in @@ -7,4 +7,4 @@ part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --exclude-path boot/ -bootloader --ptable gpt --timeout=1 --append="${GRUB_LINUX_APPEND}" +bootloader --ptable gpt --timeout=5 --append="${LINUX_KERNEL_ARGS}" diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf index 542d09a3..9c8496cb 100644 --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -25,6 +25,8 @@ MACHINE_FEATURES += "optee-ftpm" MACHINE_FEATURES += "efi" MACHINE_FEATURES += "uefi-secureboot" +EFI_PROVIDER = "systemd-boot" + INIT_MANAGER = "systemd" DISTRO_FEATURES += "systemd" DISTRO_FEATURES_NATIVE += "systemd" diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc index 07e315a3..e5cf7760 100644 --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc @@ -10,4 +10,4 @@ QB_DEFAULT_KERNEL = "none" KERNEL_IMAGETYPE = "Image" -IMAGE_INSTALL += "systemd" +IMAGE_INSTALL += "systemd systemd-boot" diff --git a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc new file mode 100644 index 00000000..c0753614 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc @@ -0,0 +1,12 @@ +DEPENDS += 'gen-uefi-sb-keys' +DEPENDS += "sbsigntool-native" + +inherit sbsign + +SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key" +SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt" +SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi" + +do_compile:append() { + do_sbsign +} diff --git a/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend new file mode 100644 index 00000000..caba9830 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)} \ No newline at end of file From patchwork Thu Aug 29 16:32:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Tia X-Patchwork-Id: 48488 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67043C87FC3 for ; Thu, 29 Aug 2024 16:32:36 +0000 (UTC) Received: from mail-yw1-f181.google.com (mail-yw1-f181.google.com [209.85.128.181]) by mx.groups.io with SMTP id smtpd.web11.24080.1724949148515633324 for ; Thu, 29 Aug 2024 09:32:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=SYZub/i9; spf=pass (domain: linaro.org, ip: 209.85.128.181, mailfrom: javier.tia@linaro.org) Received: by mail-yw1-f181.google.com with SMTP id 00721157ae682-6b8f13f28fbso7917307b3.1 for ; Thu, 29 Aug 2024 09:32:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1724949147; x=1725553947; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=r048M551uetY0q1BuW2zCSzxBwWhWQ4Zf1IPFDak7rM=; b=SYZub/i9NTgGxjZtBfIRfo1ZMFIkOQQescy2lzO4Z6P9aaAMjTQB9Y8FC749LgXQlX T0ya0yrJjRV2Vjndsyig6d8oXjh31206jTOMyXNhNTUOIvaf9ttDGD5basbkIaxY/9Tf M9IcGsuoCMV29zQvRF2b6jBH3REsoIk0ZXlnVqLyjFV1+GQS/Ah4/oB2ITS4YzkwXv3B wwVtDIo0HU7DCAKPFoyTLxAjBBL9MgkOwnMMJBZn+oN8dCGqai+oBEwEiXelxn4igspu RvuJCUGafV1vGuFY17eSMUmc8Maj+tQL2vMGcVf0VFRVhFWDrmlOnDoCpqR+DjJeqnM9 6Hng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724949147; x=1725553947; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=r048M551uetY0q1BuW2zCSzxBwWhWQ4Zf1IPFDak7rM=; b=gIdM8JDwwfpN1mTzt4bbm7a4HP/ICucf32G8ybLfCRyuX5m9E86RRq0p1+50u2KRF4 +TOvVsElY5FCwZlxBpSCpNif75FvF75tQa3Cf2xTZBaMl6sG9aiLRUzDpI4UTG9ARRBN WLhJ1z8EYxaSuz5HyQ8rzIfvPVaMsLZeIm8lEEFbjCKOoTXSCd2xsismgjDAT2W5qZXQ wzqBI+/CxD1/neT36ryXdYkB/05u8p6BaKWB9Vr8gvUhARfvRXSygOuIsVFdNMm/mKvU 9fAgRrhZ3bApSfFCjmWReBf4mX5PwldYkisqQkZWKLvmrBwdJee/ek08+yM0MrRE0O7/ mpxw== X-Gm-Message-State: AOJu0YyO4xDrPFbcyoE7kILE6m6OtOlqirLzD4CEcGDEdThbEfn7vOgZ 8cbncI9i85aStD+EzuqAuwM64ax/7DTJwW58qKaTKQQDG4rHC2QqNXTlSov3xKCGmL41GXo+wzq y X-Google-Smtp-Source: AGHT+IEEB47FRjcPQV0dIwav0fminqb81rO2jKe+CMMOfWp+IttoPHwVQ6qP61YyXq/dk+mypX0eNA== X-Received: by 2002:a05:690c:2f0f:b0:6ad:b01a:9469 with SMTP id 00721157ae682-6d277d666d6mr31361727b3.39.1724949147505; Thu, 29 Aug 2024 09:32:27 -0700 (PDT) Received: from jetm-rog-x670e-gene.lan ([170.246.157.153]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d438e18asm2993517b3.60.2024.08.29.09.32.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Aug 2024 09:32:27 -0700 (PDT) From: Javier Tia To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli , Ross Burton , Jon Mason , Javier Tia Subject: [PATCH v4 13/13] meta-arm: Add UEFI Secure Boot test Date: Thu, 29 Aug 2024 10:32:09 -0600 Message-ID: <20240829163209.47945-14-javier.tia@linaro.org> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 29 Aug 2024 16:32:36 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6023 Add a test to verify UEFI Secure Boot is enabled Run the test: kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml' Signed-off-by: Javier Tia --- ci/qemuarm64-secureboot.yml | 2 ++ .../oeqa/runtime/cases/uefi_secure_boot.py | 32 +++++++++++++++++++ .../core-image-minimal-uefi-secureboot.inc | 6 +++- 3 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml index 03281a08..3eb8c20c 100644 --- a/ci/qemuarm64-secureboot.yml +++ b/ci/qemuarm64-secureboot.yml @@ -11,6 +11,8 @@ local_conf_header: optee: | IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta" TEST_SUITES:append = " optee ftpm" + uefi_secure_boot: | + TEST_SUITES:append = " uefi_secure_boot" machine: qemuarm64-secureboot diff --git a/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py new file mode 100644 index 00000000..4a62b54c --- /dev/null +++ b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py @@ -0,0 +1,32 @@ +# +# SPDX-License-Identifier: MIT +# + +import os + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.oetimeout import OETimeout + + +class UEFI_SB_TestSuite(OERuntimeTestCase): + """ + Validate Secure Boot is Enabled + """ + + @OETimeout(1300) + def test_uefi_secure_boot(self): + # Validate Secure Boot is enabled by checking + # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot. + # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known + # identifier for the Secure Boot UEFI variable. By checking the value of + # this variable, specifically + # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine + # whether Secure Boot is enabled or not. This variable is set by the + # UEFI firmware to indicate the current Secure Boot state. If the + # variable is set to a value of '0x1' (or '1'), it indicates that Secure + # Boot is enabled. If the variable is set to a value of '0x0' (or '0'), + # it indicates that Secure Boot is disabled. + cmd = "efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot" + status, output = self.target.run(cmd, timeout=120) + self.assertEqual(output, "1", msg="\n".join([cmd, output])) diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc index e5cf7760..ce64b8b5 100644 --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc @@ -10,4 +10,8 @@ QB_DEFAULT_KERNEL = "none" KERNEL_IMAGETYPE = "Image" -IMAGE_INSTALL += "systemd systemd-boot" +IMAGE_INSTALL += "systemd systemd-boot util-linux coreutils efivar" + +inherit extrausers + +EXTRA_IMAGE_FEATURES += "allow-root-login empty-root-password"