From patchwork Thu Sep 26 15:47:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jon Mason X-Patchwork-Id: 49646 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9786ACDE01C for ; Thu, 26 Sep 2024 15:47:47 +0000 (UTC) Received: from mail-oi1-f170.google.com (mail-oi1-f170.google.com [209.85.167.170]) by mx.groups.io with SMTP id smtpd.web11.47365.1727365661656890131 for ; Thu, 26 Sep 2024 08:47:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kudzu-us.20230601.gappssmtp.com header.s=20230601 header.b=kf+AN6Pd; spf=none, err=permanent DNS error (domain: kudzu.us, ip: 209.85.167.170, mailfrom: jdmason@kudzu.us) Received: by mail-oi1-f170.google.com with SMTP id 5614622812f47-3e27a6d0bb5so716844b6e.2 for ; Thu, 26 Sep 2024 08:47:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kudzu-us.20230601.gappssmtp.com; s=20230601; t=1727365661; x=1727970461; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1V6+27rqTLGXbxdRAtHSIQrG7lHzMuV8nIXKwBlde4I=; b=kf+AN6PdulhX7NjmFBgEcqH4P6nTjeDHFx+Sh+vaYBH24M4pdp4oXqSoXK/Q/aKF8V oQmpB1CpH9ZEqu+vIq68I8KWV1Vx5rYMEMpCVXXxrTZVn6iNDKsFG1mHgFfHWqalry2m NfAE5tKwc5WBLeK18K48R2RInQzw0eZq9xGAdcOG9R/4Wee4C7kihnoyRZukiNuUp91J 6ysWtUqIeW89/DEZlzbyHBlx7Y5S7FhjQC2RLw2Ega/HZTRI0g56oKIn/EDeyNn7MJIL 43Zxh0ZPZHGzRY+dcXCBxfnBsDeRHHXcMgcGiqmpXUXZFoofiHY0F1vSkbgSMNwh1MtX +Yzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727365661; x=1727970461; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1V6+27rqTLGXbxdRAtHSIQrG7lHzMuV8nIXKwBlde4I=; b=SsmHzNkBduRcGeTm8DqfjaHKXYvse0MX6Z4JxnZTiATMGrqjvduKVodrGMsXEKMJ0B mT/46mLXaCjFXb+zHNZk6iDLwZZiil/MZsU6Wsesqnmu79gpOQKpg7rJZa5ekmKUWI1i F+OsXfivqulbdIo532P/Mg+um+U6D7zL/BK0UiqKWbw60gIxIU6e+QFwEPuor6rVNhex 9e0vPKGtW0jX1s6RAPZP72p14FaXY8mmSS+TmkG3HJ7/GgsSAED0aSjHNysJfidA42i/ cQfvRr+l3qwZX0hnCoSC1gl4J1F8YFRfBey/lAZsn5Iuei/37u0dRg96AICZJfGDi0BD 4FuA== X-Gm-Message-State: AOJu0Yx30CgrOmPKkHz8oLZUAMQjAHusgEvFZR2rHKukUwbo6RmdIFj1 au1za09ftxsBvU6wiObCxtABsur8VjxPxbTKBzB+8nEfPz5RdzDF0gGiiRoNKD125Z9qjm7JaRw = X-Google-Smtp-Source: AGHT+IGFgub/VIRy910/bn1aspX/A2L/u4HcIglW1Jh16L4cD9VwlwZG4SakvC9VUP3FgIpd/PsXtg== X-Received: by 2002:a05:6808:10d6:b0:3e0:4211:1b93 with SMTP id 5614622812f47-3e29b7f3a8fmr5387522b6e.39.1727365660663; Thu, 26 Sep 2024 08:47:40 -0700 (PDT) Received: from localhost ([136.54.20.50]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45c9f2ea78fsm34091cf.54.2024.09.26.08.47.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Sep 2024 08:47:40 -0700 (PDT) From: Jon Mason X-Google-Original-From: Jon Mason To: meta-arm@lists.yoctoproject.org Cc: Javier Tia Subject: [PATCH v7 1/4] arm/optee: Add optee udev rules Date: Thu, 26 Sep 2024 11:47:36 -0400 Message-Id: <20240926154739.2379609-2-jon.mason@arm.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20240926154739.2379609-1-jon.mason@arm.com> References: <20240926154739.2379609-1-jon.mason@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 26 Sep 2024 15:47:47 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6118 From: Javier Tia If a /dev/teepriv[0-9]* device is detected, start an instance of tee-supplicant.service with the device name as parameter. Signed-off-by: Javier Tia Signed-off-by: Jon Mason --- meta-arm/recipes-security/optee/optee-client.inc | 8 +++++++- .../recipes-security/optee/optee-client/optee-udev.rules | 6 ++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 meta-arm/recipes-security/optee/optee-client/optee-udev.rules diff --git a/meta-arm/recipes-security/optee/optee-client.inc b/meta-arm/recipes-security/optee/optee-client.inc index ddda2d1a3ae9..f387c80574b0 100644 --- a/meta-arm/recipes-security/optee/optee-client.inc +++ b/meta-arm/recipes-security/optee/optee-client.inc @@ -5,12 +5,13 @@ HOMEPAGE = "https://www.op-tee.org/" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b" -inherit systemd update-rc.d cmake +inherit systemd update-rc.d cmake useradd SRC_URI = " \ git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \ file://tee-supplicant@.service \ file://tee-supplicant.sh \ + file://optee-udev.rules \ " UPSTREAM_CHECK_GITTAGREGEX = "^(?P\d+(\.\d+)+)$" @@ -26,6 +27,8 @@ EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0" do_install:append() { install -D -p -m0644 ${UNPACKDIR}/tee-supplicant@.service ${D}${systemd_system_unitdir}/tee-supplicant@.service install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant + install -d ${D}${sysconfdir}/udev/rules.d + install -m 0644 ${UNPACKDIR}/optee-udev.rules ${D}${sysconfdir}/udev/rules.d/optee.rules sed -i -e s:@sysconfdir@:${sysconfdir}:g \ -e s:@sbindir@:${sbindir}:g \ @@ -38,3 +41,6 @@ SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service" INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME:${PN} = "tee-supplicant" INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ." + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system teeclnt" diff --git a/meta-arm/recipes-security/optee/optee-client/optee-udev.rules b/meta-arm/recipes-security/optee/optee-client/optee-udev.rules new file mode 100644 index 000000000000..075f469c04e9 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-client/optee-udev.rules @@ -0,0 +1,6 @@ +KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd" + +# If a /dev/teepriv[0-9]* device is detected, start an instance of +# tee-supplicant.service with the device name as parameter +KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \ + TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service" From patchwork Thu Sep 26 15:47:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jon Mason X-Patchwork-Id: 49647 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 978ADCDE020 for ; Thu, 26 Sep 2024 15:47:47 +0000 (UTC) Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) by mx.groups.io with SMTP id smtpd.web10.47057.1727365662693897940 for ; Thu, 26 Sep 2024 08:47:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kudzu-us.20230601.gappssmtp.com header.s=20230601 header.b=E4zUCMqj; spf=none, err=permanent DNS error (domain: kudzu.us, ip: 209.85.222.170, mailfrom: jdmason@kudzu.us) Received: by mail-qk1-f170.google.com with SMTP id af79cd13be357-7a9ad15d11bso98919785a.0 for ; Thu, 26 Sep 2024 08:47:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kudzu-us.20230601.gappssmtp.com; s=20230601; t=1727365661; x=1727970461; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Bh/CuR4Fkv0PaoFzGTuwWg2KLGcL0m1HnCEVLGi12bI=; b=E4zUCMqjJ8teCjTMHbkSzWSAQpwh+PjTImzuO7hjzkMO4FDKF/gK873h8ODUM5+UNA 13ByOQqtNm3yYeyZB36N6CAxOReykIsulAJMvz04oAoZD1ROltr8P2Ad0UjzTDuPXQV5 kby1BZV2ds6xcRD35ZsveUPtTf8azLo0vKN+wzlxudM12s14Kn/g2Sq/FgnfOM0mqUBd c6pgRFOJET9kgvqLjSJLXKlTjx174a71bMJnEZ+HYNUxER5aR9jEvmjWfLAH+5zj+wkZ CTH9toutNHfblzpnn2kubECqSK+GJm9etwqTHR9uuAFB1Fw/OKBc/1bKEezyDSDQSeaA 4HCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727365661; x=1727970461; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Bh/CuR4Fkv0PaoFzGTuwWg2KLGcL0m1HnCEVLGi12bI=; b=TGms29yn8rzPSM+lfODW75z8WUlN/7500/9IxbTxqGcZ6S45fS+iMuzFpa37u0MFB8 GpiZsGcEgxPONuSyosTuHznPhnaaYCQhwcBK7bqzmCx751MkghlLbtuQETGZ8MPVetAD yYOpuKKj6pIKcjBn9486Qss5BnQEWz7fwIvnC6+EwKIojICXYSAZB3T8uJOM3eZnVQLJ /kvQplbtyuyqIfTPZiloU6YMkUCw/HUU2dijQuXnKmGYM1RMjYSZfr+4lckC/rkn3bqu k874P2qENx0uvJldGUN4W+hkTeP1WmbSv+xeM2citasmJpdB/lp6t/jVeBsYtnNeU5N0 E7fw== X-Gm-Message-State: AOJu0YzcowgFoOth+ssn60t4VZKJx8CHT0HPshSbBc66aeFRGGlzh0v0 AND50ORqDcixkXwpruLI//lwi1B8hOoQSR2JC8ZDGnb8UQuWbPUd4chWKaDDQL8mkudDl1Nj4WI = X-Google-Smtp-Source: AGHT+IExluvtqxW7yTuK1rk1pwlgcAdadrn3kiOLugpu67R9ytUQ1Y3AOnuKmG19Ci6uM1Omav/d5A== X-Received: by 2002:a05:6214:5712:b0:6cb:378c:b32a with SMTP id 6a1803df08f44-6cb3b63ee8amr1974016d6.46.1727365661454; Thu, 26 Sep 2024 08:47:41 -0700 (PDT) Received: from localhost ([136.54.20.50]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6cb3b66b507sm396976d6.99.2024.09.26.08.47.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Sep 2024 08:47:41 -0700 (PDT) From: Jon Mason X-Google-Original-From: Jon Mason To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli Subject: [PATCH v7 2/4] arm/optee-client: fix systemd service dependencies Date: Thu, 26 Sep 2024 11:47:37 -0400 Message-Id: <20240926154739.2379609-3-jon.mason@arm.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20240926154739.2379609-1-jon.mason@arm.com> References: <20240926154739.2379609-1-jon.mason@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 26 Sep 2024 15:47:47 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6119 From: Mikko Rapeli udev starts tee-supplicant once optee has been found. Fix dependencies in systemd service so that starting it in initrd is possible. Stopping requires that ftpm kernel module is disabled or any TPM related actions will fail until the next reboot so working around these in the service file. These are limitations of current kernel optee and ftpm drivers. tpm2.target requires systemd 256 or newer. With older system version there is no simple way to queue in service before TPM device is available. https://www.freedesktop.org/software/systemd/man/devel/systemd.special.html#tpm2.target Note that https://www.freedesktop.org/software/systemd/man/devel/systemd-tpm2-generator.html detects TPM support from either existing kernel driver (built in or loaded really early in initrd and rootfs boot) or ACPI table entry for TPM device. If firmware used a TPM device but doesn't provide ACPI table entry for it, then a kernel patch has been proposed to expose this to userspace: https://lore.kernel.org/lkml/20240422112711.362779-1-mikko.rapeli@linaro.org/ and matching change proposal for systemd: https://github.com/systemd/systemd/pull/32400 Signed-off-by: Mikko Rapeli Signed-off-by: Jon Mason --- .../optee/optee-client/tee-supplicant@.service | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service index 72c0b9aa57ec..8325b6be5174 100644 --- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service +++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service @@ -1,10 +1,12 @@ [Unit] Description=TEE Supplicant on %i +DefaultDependencies=no +After=dev-%i.device +Wants=dev-%i.device +Conflicts=shutdown.target +Before=tpm2.target sysinit.target shutdown.target [Service] -User=root EnvironmentFile=-@sysconfdir@/default/tee-supplicant ExecStart=@sbindir@/tee-supplicant $OPTARGS - -[Install] -WantedBy=basic.target +ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID" From patchwork Thu Sep 26 15:47:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jon Mason X-Patchwork-Id: 49645 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89452CDE01B for ; Thu, 26 Sep 2024 15:47:47 +0000 (UTC) Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com [209.85.210.48]) by mx.groups.io with SMTP id smtpd.web10.47058.1727365663391038182 for ; Thu, 26 Sep 2024 08:47:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kudzu-us.20230601.gappssmtp.com header.s=20230601 header.b=JqeomNnA; spf=none, err=permanent DNS error (domain: kudzu.us, ip: 209.85.210.48, mailfrom: jdmason@kudzu.us) Received: by mail-ot1-f48.google.com with SMTP id 46e09a7af769-710d77380cdso580503a34.0 for ; Thu, 26 Sep 2024 08:47:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kudzu-us.20230601.gappssmtp.com; s=20230601; t=1727365662; x=1727970462; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6QgW74utrjrSN/o8Su8pi246NPX8sy/fcW29ZlyHv+s=; b=JqeomNnAqy69P2FspfcaOTrJeIe7LanK5Pvu5/lfxNagK7OhabmJeLKhXelnx8cSNF I1J5XP7eLeAj0Ip+DSFTxcex9bbBzb/Foy1WkWiJHKmNnCcUd3/Y8/l8JtNqj7CXjnNE bUDnSq+adyadpVNxghRfnvFWnl3ZyIl5z90gd3nmTMS06nEKmaiSeJ4hpgb1QjATWeJG khn4z3XVC1pul/Mmj7f4D51ypjdgeG3i5Y8ro6VlJ3T2PUEuT0ZPH2y4ANUl9HTyOP/O qnbgJav9kWf4+mAmG7itEk0w3vEG7vcDwmdSMfwpDEhc9sLzp2YA5g92NnTp5iqX8f8R jytg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727365662; x=1727970462; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6QgW74utrjrSN/o8Su8pi246NPX8sy/fcW29ZlyHv+s=; b=YP4dXG+TmqwA5Z75nfZAzqInqihThYN3jGmWDPUhXw1JO1DkzyjSdrvRi1mL9iJFw5 a+rLlT8boNdN9OkpeS+HWB+fQTVHyMbt/zcAaKIZOhFrpaazWHW19lfev5wh4FrPkcnd hN+bGngOJGuhmx/gbp5Kp3QONndnuSkPTZAfKCHbI/20JiWQhhCaj0vn/G25DEAdlBuY 7+xkevCxuI56+9/fanOmxPB1Khq/osEYb3YuZvQ7r5X+sBaBwuJV2QZcQOdr1oCodE+O BQqxHPPfQbCZUXEuvIlehboX816dcdteVIFcHucVwI7/zzPgUccpP3gX0D6gZpGwJv2b YdFg== X-Gm-Message-State: AOJu0Yxa7y49xhWgpkGMcRkGUKKstSIetz/jMEjgbVkzC55SRWml39ci oMsL67F+/Sjma7CdmWAxq+6dOxoi46xTc6da3zL/5rwgdBni5FlzcFm7fXh/vPLD2+nETzK8GUQ = X-Google-Smtp-Source: AGHT+IGfhXNGZHTIuskINZuoHB/6EF+a5sa2rMLtZfQGJFZmX/LWZcmNZN2TZj7YR66VvckiyZ6vvA== X-Received: by 2002:a05:6830:630d:b0:710:f382:9342 with SMTP id 46e09a7af769-713c7dab4b1mr5305159a34.11.1727365662306; Thu, 26 Sep 2024 08:47:42 -0700 (PDT) Received: from localhost ([136.54.20.50]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6cb3b5ff1a4sm448896d6.28.2024.09.26.08.47.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Sep 2024 08:47:42 -0700 (PDT) From: Jon Mason X-Google-Original-From: Jon Mason To: meta-arm@lists.yoctoproject.org Cc: Javier Tia Subject: [PATCH v7 3/4] arm: Enable Secure Boot in all required recipes Date: Thu, 26 Sep 2024 11:47:38 -0400 Message-Id: <20240926154739.2379609-4-jon.mason@arm.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20240926154739.2379609-1-jon.mason@arm.com> References: <20240926154739.2379609-1-jon.mason@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 26 Sep 2024 15:47:47 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6120 From: Javier Tia In the target, Secure Boot starts from the firmware (u-boot), adds the signing keys, and verifies the bootloader (systemd-boot) and kernel (Linux). The gen-sbkeys recipe generates keys in the host during build time. If keys are found, it will skip the keys generation. As long as the keys are the same, it will guarantee build reproducibility.  sbsign bbclass is used to sign the binaries. sbsign is the name of the tool used to sign these binaries. Hence the name of this class to sbsign and variables with SBSIGN prefix. Signed-off-by: Javier Tia Signed-off-by: Jon Mason --- meta-arm/classes/sbsign.bbclass | 31 +++++++++++ .../u-boot/u-boot-uefi-secureboot.inc | 17 ++++++ .../u-boot/u-boot/uefi-secureboot.cfg | 10 ++++ meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend | 2 + meta-arm/recipes-bsp/uefi/gen-sbkeys.bb | 48 +++++++++++++++++ .../recipes-bsp/uefi/gen-sbkeys/gen_sbkeys.sh | 52 +++++++++++++++++++ .../systemd/systemd-boot-uefi-secureboot.inc | 7 +++ .../systemd/systemd-boot_%.bbappend | 1 + meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + .../recipes-core/systemd/systemd_%.bbappend | 1 + .../linux/linux-yocto%.bbappend | 2 + .../linux/linux-yocto-uefi-secureboot.inc | 14 +++++ 12 files changed, 186 insertions(+) create mode 100644 meta-arm/classes/sbsign.bbclass create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot-uefi-secureboot.inc create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg create mode 100644 meta-arm/recipes-bsp/uefi/gen-sbkeys.bb create mode 100755 meta-arm/recipes-bsp/uefi/gen-sbkeys/gen_sbkeys.sh create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc diff --git a/meta-arm/classes/sbsign.bbclass b/meta-arm/classes/sbsign.bbclass new file mode 100644 index 000000000000..551b951dc2b4 --- /dev/null +++ b/meta-arm/classes/sbsign.bbclass @@ -0,0 +1,31 @@ +# Sign binaries for UEFI Secure Boot +# +# Usage in recipes: +# +# Set binary to sign per recipe: +# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign" +# +# Then call do_sbsign() in correct stage of the build +# do_compile:append() { +# do_sbsign +# } + +DEPENDS += 'gen-sbkeys' +DEPENDS += "sbsigntool-native" + +SBSIGN_KEY = "${SBSIGN_KEYS_DIR}/db.key" +SBSIGN_CERT = "${SBSIGN_KEYS_DIR}/db.crt" +SBSIGN_TARGET_BINARY ?= "binary_to_sign" + +# Not adding as task since recipes may need to sign binaries at different +# stages. Instead they can call this function when needed by calling this function +do_sbsign() { + bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}" + ${STAGING_BINDIR_NATIVE}/sbsign \ + --key "${SBSIGN_KEY}" \ + --cert "${SBSIGN_CERT}" \ + --output "${SBSIGN_TARGET_BINARY}.signed" \ + "${SBSIGN_TARGET_BINARY}" + cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned" + cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}" +} diff --git a/meta-arm/recipes-bsp/u-boot/u-boot-uefi-secureboot.inc b/meta-arm/recipes-bsp/u-boot/u-boot-uefi-secureboot.inc new file mode 100644 index 000000000000..e58035a9c236 --- /dev/null +++ b/meta-arm/recipes-bsp/u-boot/u-boot-uefi-secureboot.inc @@ -0,0 +1,17 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://uefi-secureboot.cfg" + +inherit sbsign + +DEPENDS += 'python3-pyopenssl-native' + +do_compile:prepend() { + export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 + + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk -d "${SBSIGN_KEYS_DIR}"/PK.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${SBSIGN_KEYS_DIR}"/KEK.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db -d "${SBSIGN_KEYS_DIR}"/db.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${SBSIGN_KEYS_DIR}"/dbx.esl -t file + "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var +} diff --git a/meta-arm/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg b/meta-arm/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg new file mode 100644 index 000000000000..acdcfdddf3c2 --- /dev/null +++ b/meta-arm/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg @@ -0,0 +1,10 @@ +CONFIG_CMD_BOOTMENU=y +CONFIG_USE_BOOTCOMMAND=y +CONFIG_BOOTCOMMAND="bootmenu" +CONFIG_USE_PREBOOT=y +CONFIG_EFI_VAR_BUF_SIZE=65536 +CONFIG_FIT_SIGNATURE=y +CONFIG_EFI_SECURE_BOOT=y +CONFIG_EFI_VARIABLES_PRESEED=y +CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" +CONFIG_PREBOOT_DEFINED=y diff --git a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend index 0683a783891f..8542ccfc9084 100644 --- a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend +++ b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend @@ -2,3 +2,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI:append:qemuarm64-secureboot = " file://qemuarm64.cfg" SRC_URI:append:qemuarm-secureboot = " file://qemuarm.cfg" + +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-uefi-secureboot.inc', '', d)} diff --git a/meta-arm/recipes-bsp/uefi/gen-sbkeys.bb b/meta-arm/recipes-bsp/uefi/gen-sbkeys.bb new file mode 100644 index 000000000000..30c3aced55ea --- /dev/null +++ b/meta-arm/recipes-bsp/uefi/gen-sbkeys.bb @@ -0,0 +1,48 @@ +# SPDX-License-Identifier: MIT + +SUMMARY = "Generate Signing UEFI keys for Secure Boot" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +DEPENDS += "bash-native" +DEPENDS += "coreutils-native" +DEPENDS += "efitools-native" +DEPENDS += "openssl-native" + +SRC_URI = "file://gen_sbkeys.sh" + +UNPACKDIR = "${S}" + +do_patch[noexec] = "1" +do_compile[noexec] = "1" +do_configure[noexec] = "1" +do_install[nostamp] = "1" + +python do_install() { + keys_dir = d.getVar('SBSIGN_KEYS_DIR', True) + + keys_to_check = [ + keys_dir + "/PK.esl", + keys_dir + "/KEK.esl", + keys_dir + "/db.esl", + keys_dir + "/dbx.esl", + keys_dir + "/db.key", + keys_dir + "/db.crt", + ] + + missing_keys = [f for f in keys_to_check if not os.path.exists(f)] + + if not missing_keys: + bb.debug(2, "All UEFI keys found in '%s' to sign binaries'" % keys_dir) + return + + gen_sbkeys = d.getVar('UNPACKDIR', True) + "/gen_sbkeys.sh" + + import subprocess + bb.debug(2, "Calling '%s' to generate UEFI keys in path: '%s'" % (gen_sbkeys, keys_dir)) + cmd = "%s %s" % (gen_sbkeys, keys_dir) + subprocess.Popen(cmd, shell=True) +} + +FILES:${PN} += "${SBSIGN_KEYS_DIR}/db.key" +FILES:${PN} += "${SBSIGN_KEYS_DIR}/db.crt" diff --git a/meta-arm/recipes-bsp/uefi/gen-sbkeys/gen_sbkeys.sh b/meta-arm/recipes-bsp/uefi/gen-sbkeys/gen_sbkeys.sh new file mode 100755 index 000000000000..6ad74a315a59 --- /dev/null +++ b/meta-arm/recipes-bsp/uefi/gen-sbkeys/gen_sbkeys.sh @@ -0,0 +1,52 @@ +#!/bin/bash +# +# SPDX-License-Identifier: MIT +# +# +# Set up UEFI Secure Boot keys. Generate keys and certificates, convert them +# into EFI Signature Lists, and sign them. By managing these keys, you can +# control what is considered trusted on your system. + +set -eux + +KEYS_PATH=${1:-./} +SUBJECT="/CN=OpenEmbedded/" + +# The number used is just a GUID random number that has not special meaning. +# GUID (Globally Unique Identifier) is associated with the signature list. GUIDs +# in this context are used to uniquely identify the owner or the purpose of the +# keys within the EFI environment. This GUID can be used to distinguish +# different lists or purposes within the UEFI firmware settings +GUID="11111111-2222-3333-4444-123456789abc" + +if [ ! -d "${KEYS_PATH}" ]; then + mkdir -p "${KEYS_PATH}" +fi + +if [ -f "${KEYS_PATH}"/PK.crt ]; then + exit 0 +fi + +# Platform Key (PK): The root key in Secure Boot, which authorizes changes to +# the KEK +openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \ + -keyout "${KEYS_PATH}"/PK.key -out "${KEYS_PATH}"/PK.crt \ + -nodes -days 3650 +cert-to-efi-sig-list -g ${GUID} \ + "${KEYS_PATH}"/PK.crt "${KEYS_PATH}"/PK.esl +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/PK "${KEYS_PATH}"/PK.esl "${KEYS_PATH}"/PK.auth + +# Key Exchange Key (KEK): Allows for updates to the db and dbx lists +# +# db and dbx: Control lists for allowed and disallowed executable files and +# drivers +for key in KEK db dbx; do + openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \ + -keyout "${KEYS_PATH}"/${key}.key -out "${KEYS_PATH}"/${key}.crt \ + -nodes -days 3650 + cert-to-efi-sig-list -g ${GUID} \ + "${KEYS_PATH}"/${key}.crt "${KEYS_PATH}"/${key}.esl + sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \ + "${KEYS_PATH}"/${key} "${KEYS_PATH}"/${key}.esl "${KEYS_PATH}"/${key}.auth +done diff --git a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc new file mode 100644 index 000000000000..84196a681e06 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc @@ -0,0 +1,7 @@ +inherit sbsign + +SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi" + +do_compile:append() { + do_sbsign +} diff --git a/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend new file mode 100644 index 000000000000..9850bbf9a663 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)} diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc new file mode 100644 index 000000000000..5572e51ae917 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-efi.inc @@ -0,0 +1 @@ +PACKAGECONFIG:append = " efi" diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 000000000000..660358c29b9d --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)} diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend index a287d0e1814a..71e643a95496 100644 --- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend +++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend @@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \ FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}" require ${FFA_TRANSPORT_INCLUDE} + +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)} diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc new file mode 100644 index 000000000000..5c1f4de7a0ad --- /dev/null +++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc @@ -0,0 +1,14 @@ +KERNEL_FEATURES += "cfg/efi-ext.scc" + +inherit sbsign + +# shell variable set inside do_compile task +SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE" + +do_compile:append() { + KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit) + do_sbsign +} + +RRECOMMENDS:${PN} += "kernel-module-efivarfs" +RRECOMMENDS:${PN} += "kernel-module-efivars" From patchwork Thu Sep 26 15:47:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jon Mason X-Patchwork-Id: 49648 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A4BCCDE017 for ; Thu, 26 Sep 2024 15:47:47 +0000 (UTC) Received: from mail-qt1-f180.google.com (mail-qt1-f180.google.com [209.85.160.180]) by mx.groups.io with SMTP id smtpd.web11.47366.1727365664571022975 for ; Thu, 26 Sep 2024 08:47:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@kudzu-us.20230601.gappssmtp.com header.s=20230601 header.b=13OGJURE; spf=none, err=permanent DNS error (domain: kudzu.us, ip: 209.85.160.180, mailfrom: jdmason@kudzu.us) Received: by mail-qt1-f180.google.com with SMTP id d75a77b69052e-4583068795eso8318871cf.1 for ; Thu, 26 Sep 2024 08:47:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kudzu-us.20230601.gappssmtp.com; s=20230601; t=1727365663; x=1727970463; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GZw7Gt9Oav6RjglQ5lIw9mp2qpi1ZjslzBC6PMijJy8=; b=13OGJURE45Y8WDhfZ6prQ/Pjsn2+Pp0r/7Kf1KZtD2fRlqIcbjnuqs/8wl/Korpw9y VgkuPw4fxi3Thufvz/tEquLqAmUMb1c+YWOhJux7e+5tJzN7sEtOaKHAS8/1xwWfAjWl PifWD92zRNtU71L7+D0YBUcTj6cE5IQ9DZ2f1XeZzYjEY1S91coH2TUYLaq+nd9jJkYn ctbJ1aE3/z8Qdt6x2YVJa3ruRgIL0/DfspFHt9AasC4uAUorcmnsgtYxfoh/9T/ebrVU x4sT0IeSs7Uyd+vLPQJSnM6TUCEVyE1Y8/jk6HAsJ4XrujZO7t3sgvVxxfxVT90sAs24 anfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727365663; x=1727970463; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GZw7Gt9Oav6RjglQ5lIw9mp2qpi1ZjslzBC6PMijJy8=; b=pWYU+PfEyTL0H8V4t96SYhWNZF9jMIoV8D20fYo2Gn1S4gXuHKQM5/AWdazauuHcGm cecQ0W+4KZnZdKl8xMZIAnNE4y89ofk2lvO9FCaO6WQwnDf2mg6iRDuDqGpkibvAld44 6BtVoHfGaZmcQMF+/My4cHwm936C6d0h9VNcc5pPjmA7VMVNRMqzLwJQ7x0JtprC/kro VzSxt359AkHOideH4v9Tr3gIPpIW9YRWfZRTEAKXf5yHKZ9VAuN5mgNt+7bP4pu0kShD zPorfOKI7uRxs2od0fqgQM9DNv7Fo0medv0vqxoTS4ebuNy+UqPbbAZKyqDd/6lewj9O jcFQ== X-Gm-Message-State: AOJu0Yzb7krI3jERwUXcUhwTorikWA+3Jn3cut4zEsSfEX4l058rS128 u0E/XIJIS8+jmR4+WKgmhVAqiW/s6/ZuxiVW6jSq6DbH01S8TG+WUKxGAu7qzC6ZW814pEiouvU = X-Google-Smtp-Source: AGHT+IEtVw4ByWlJWn9a333HWf7CfPiADVl2liON+GQCCUBl6u5Tcy82fXSZRVZdZFLT3cgugw2HEg== X-Received: by 2002:a05:622a:143:b0:458:571c:f9b3 with SMTP id d75a77b69052e-45c9f1bea1dmr620971cf.1.1727365663293; Thu, 26 Sep 2024 08:47:43 -0700 (PDT) Received: from localhost ([136.54.20.50]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45c9f2e0cfasm41601cf.43.2024.09.26.08.47.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Sep 2024 08:47:42 -0700 (PDT) From: Jon Mason X-Google-Original-From: Jon Mason To: meta-arm@lists.yoctoproject.org Cc: Javier Tia Subject: [PATCH v7 4/4] arm/qemuarm64-secureboot: Enable UEFI Secure Boot Date: Thu, 26 Sep 2024 11:47:39 -0400 Message-Id: <20240926154739.2379609-5-jon.mason@arm.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20240926154739.2379609-1-jon.mason@arm.com> References: <20240926154739.2379609-1-jon.mason@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 26 Sep 2024 15:47:47 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6121 From: Javier Tia Encapsulate all UEFI Secure Boot required settings in one Kas configuration file. Introduce SBSIGN_KEYS_DIR variable where UEFI keys will be generated to sign UEFI binaries.  Introduce uefi-secureboot machine feature, which is being used to conditionally set the proper UEFI settings in recipes. Replace Grub bootloader with systemd-boot, which it makes easier to enable Secure Boot. Advantages using systemd as Init Manager: - Extending secure boot to userspace is a lot easier with systemd than with sysvinit where custom scripts will need to be written for all use cases. - systemd supports dm-verity and TPM devices for encryption usecases out of the box. Enabling them is a lot easier than writing custom scripts for sysvinit. - systemd also supports EUFI signing the UKI binaries which merge kernel, command line and initrd which helps in bringing secure boot towards rootfs. - systemd offers a modular structure with unit files that are more predictable and easier to manage than the complex and varied scripts used by SysVinit. This modularity allows for better control and customization of the boot process, which is beneficial in Secure Boot environments. - Add CI settings to build and test UEFI Secure Boot. Add one test to verify Secure Boot using OE Testing infraestructure: $ kas build ci/qemuarm64-secureboot.yml:ci/uefi-secureboot.yml:ci/testimage.yml ... RESULTS - uefi_secureboot.UEFI_SB_TestSuite.test_uefi_secureboot: PASSED (0.62s) ... SUMMARY: core-image-base () - Ran 73 tests in 28.281s core-image-base - OK - All required tests passed (successes=19, skipped=54, failures=0, errors=0) Signed-off-by: Javier Tia Signed-off-by: Jon Mason --- .gitlab-ci.yml | 1 + ci/uefi-secureboot.yml | 37 +++++++++++++++++++ .../lib/oeqa/runtime/cases/uefi_secureboot.py | 29 +++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 ci/uefi-secureboot.yml create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e8627731e244..1ea167c63d8e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -272,6 +272,7 @@ qemuarm64-secureboot: TOOLCHAINS: [gcc, clang] TCLIBC: [glibc, musl] TS: [none, qemuarm64-secureboot-ts] + UEFISB: [none, uefi-secureboot] TESTING: testimage - KERNEL: linux-yocto-dev TESTING: testimage diff --git a/ci/uefi-secureboot.yml b/ci/uefi-secureboot.yml new file mode 100644 index 000000000000..fd95b876943c --- /dev/null +++ b/ci/uefi-secureboot.yml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json + +# UEFI Secure Boot: A mechanism to ensure that only trusted software is executed +# during the boot process. + +header: + version: 14 + includes: + - ci/meta-openembedded.yml + - ci/meta-secure-core.yml + +local_conf_header: + uefi_secureboot: | + SBSIGN_KEYS_DIR = "${TOPDIR}/sbkeys" + BB_ENV_PASSTHROUGH_ADDITIONS = "SBSIGN_KEYS_DIR" + + # Detected by passing kernel parameter + QB_KERNEL_ROOT = "" + + # kernel is in the image, should not be loaded separately + QB_DEFAULT_KERNEL = "none" + + WKS_FILE = "efi-disk.wks.in" + KERNEL_IMAGETYPE = "Image" + + MACHINE_FEATURES:append = " efi uefi-secureboot" + + EFI_PROVIDER = "systemd-boot" + + # Use systemd as the init system + INIT_MANAGER = "systemd" + DISTRO_FEATURES:append = " systemd" + DISTRO_FEATURES_NATIVE:append = " systemd" + + IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils efivar" + + TEST_SUITES:append = " uefi_secureboot" diff --git a/meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py b/meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py new file mode 100644 index 000000000000..9e47ea8dfecd --- /dev/null +++ b/meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py @@ -0,0 +1,29 @@ +# +# SPDX-License-Identifier: MIT +# + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.oetimeout import OETimeout + + +class UEFI_SB_TestSuite(OERuntimeTestCase): + """ + Validate Secure Boot is Enabled + """ + + @OETimeout(1300) + def test_uefi_secureboot(self): + # Validate Secure Boot is enabled by checking + # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot. + # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known + # identifier for the Secure Boot UEFI variable. By checking the value of + # this variable, specifically + # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine + # whether Secure Boot is enabled or not. This variable is set by the + # UEFI firmware to indicate the current Secure Boot state. If the + # variable is set to a value of '0x1' (or '1'), it indicates that Secure + # Boot is enabled. If the variable is set to a value of '0x0' (or '0'), + # it indicates that Secure Boot is disabled. + cmd = "efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot" + status, output = self.target.run(cmd, timeout=120) + self.assertEqual(output, "1", msg="\n".join([cmd, output]))