From patchwork Thu Jan 30 15:34:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 56292 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD546C0218A for ; Thu, 30 Jan 2025 15:35:10 +0000 (UTC) Received: from mail-lf1-f49.google.com (mail-lf1-f49.google.com [209.85.167.49]) by mx.groups.io with SMTP id smtpd.web11.18074.1738251303800849145 for ; Thu, 30 Jan 2025 07:35:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=znDeJIsN; spf=pass (domain: linaro.org, ip: 209.85.167.49, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f49.google.com with SMTP id 2adb3069b0e04-543d8badc30so1048358e87.0 for ; Thu, 30 Jan 2025 07:35:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1738251302; x=1738856102; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=STJc855sjRAF2XD9UzVhClu2/kemU5PH8qtCoSz8MMs=; b=znDeJIsNdtgVrP4b13thtnDf1wNOrf09G3pJHoRgTBFihtQiZz9V88CxdMYpuNAuvm hK1NJVPZzVMboHp3ajXNZxJgmKGJAMmDfSjY2N955uDh4QHiz7f2o2GJmzKdzIok96ph N0q7w32pMvZPZfuWAsFvFlyr5sbdcAUCrFlFbVtzMI7UZY+//x19hu08LZ0UlxJrGjhj 9UXwDOCb4plAxfvHIWrD49UWAs8sjnlvMyvcPk0t21Gz92IYaNRK/BTTFnb4CTtmr+sr qmEmC1AGN4aJ3or+bJ1vP3JVbzmx5LNAVSvX/5sT4sGsbZxtAwiJQ+dyJfc4O/IdDzv3 7WvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738251302; x=1738856102; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=STJc855sjRAF2XD9UzVhClu2/kemU5PH8qtCoSz8MMs=; b=YOox18eZJs1bgbaT+3E+HMLgWfgieHOnv72tQ2bk71tQUgCplZy5IlAupiOMbjqeFw IC5qpD48aoKtyTdWKnGlgiJgDIK7HSxQk3qssouO0AunnxBTV/Hk4CqIuhI0yyy95ZJg rgdAG3Ka2jB26mEjGULiTjQ9dgKLGkQnB+1IyCBPJ4CW4/9Rb2APETHlFhgPriTjfv6V TCqvqkBcwJh2dXQSoePZ/KE00VIpR5NP6sQ8TXU9cRKgv0pcdjJvlNCUNGk9lbM1wIXz ypY0PLgPtzQhHE/OImaDKjQrugSInm1q/z7xQ1Q0W8kh7qx39mRDuBsdpGXXdIQuf380 s13Q== X-Gm-Message-State: AOJu0YwC7t+iF91z8Ke5ePq+Pn+vf+/vqnNcGI2BLqvYPn7z/TCdtPyW gDEVj1lmpigwPGk2flYMl/s9/fQK9JOAWWOAbWLCiP1UclPnaXheWx0mjITONAXwBJ6ZyMlVSVW mzUg= X-Gm-Gg: ASbGncuL4wFbkf2PWO5/8w0JVmeKeqqsul01sSEbtrQ2/EsQBW4A4lPQwBnKiC0AkW3 aVaLf0MIMMKXDzwaZxvANeMJRs3lr2BSgbTSSm15Sk5RARBtLSG20NFFXdzEVbiq4QaoQtGsFcT HHJNbLD66fQMOStuJO5idOOV4U070oLhwTe65n0AYcNDMm/g7Un2m6aLy7F8Aeu3X6bhmgS7xxA UiXPxPSmDVK6Y7HkKLLhOED7ZxsX6JNpDLPlJfKpTt0FQRPogzK2CGd5iO3M1ELUqqEVAfiafTv HCiYGzGv+4Q8Vwr6bt6TgBvePI+WqEijE5eFzvzm9PXy9xH3wPVLqwbTP9dB X-Google-Smtp-Source: AGHT+IHgkmGjOB3O+cjTK4w1rHwRsHs90fQDPtqMFRkAThMeV141H4QCMIbzqrc5tZEWaVW/qRj1Pg== X-Received: by 2002:a05:6512:3409:b0:540:1b7e:7b3d with SMTP id 2adb3069b0e04-543e4c37a7emr2767687e87.36.1738251301779; Thu, 30 Jan 2025 07:35:01 -0800 (PST) Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi. [78.27.76.97]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-543ebebecc3sm186125e87.242.2025.01.30.07.35.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jan 2025 07:35:01 -0800 (PST) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: meta-arm@lists.yoctoproject.org, Mikko Rapeli Subject: [PATCH 1/3] systemd-boot-native: undelete but disable configure and compile tasks Date: Thu, 30 Jan 2025 17:34:33 +0200 Message-ID: <20250130153435.1074941-1-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <181F17E3A23753E5.21193@lists.yoctoproject.org> References: <181F17E3A23753E5.21193@lists.yoctoproject.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jan 2025 15:35:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210449 The tasks were deleted and do_patch() was run after do_install() which means that patches applied in SRC_URI were not in the ukify.py binary installed. Mark the tasks as noexec since they don't need to do anything. Signed-off-by: Mikko Rapeli --- meta/recipes-core/systemd/systemd-boot-native_257.1.bb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb index 58db408dcf..5b4b63c294 100644 --- a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb +++ b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb @@ -2,13 +2,12 @@ require systemd.inc inherit native -deltask do_configure -deltask do_compile +do_configure[noexec] = "1" +do_compile[noexec] = "1" do_install () { install -Dm 0755 ${S}/src/ukify/ukify.py ${D}${bindir}/ukify } -addtask install after do_unpack PACKAGES = "${PN}" From patchwork Thu Jan 30 15:34:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 56293 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1B59C02190 for ; Thu, 30 Jan 2025 15:35:20 +0000 (UTC) Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) by mx.groups.io with SMTP id smtpd.web11.18077.1738251315650109072 for ; Thu, 30 Jan 2025 07:35:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=KZSEQJYK; spf=pass (domain: linaro.org, ip: 209.85.167.53, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f53.google.com with SMTP id 2adb3069b0e04-53ff1f7caaeso963744e87.0 for ; Thu, 30 Jan 2025 07:35:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1738251314; x=1738856114; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=E86CcozagmLsYaKrTI35C23FsWAcVJRx2zN2PM6uAWY=; b=KZSEQJYKBj2H5eT4jJqcVzXMUdMWgrLUdZzrfRYb91KrVzFyxOWPgyMClLsTyg3nwi aCNbA7RlS0JjyKrJqKanEqOlXV66Teq8oRfvw9VzIugnm+tgKR3mkfI8PkBSmDoEB8st bLwig0A9DJB+ftDpSs/YdtmhYzK49VV7v8efeui/ABMz6wmJP2ltQLnc+mUP2v0aZqAO fmGlwUfIRVRKzb8osFf1+yy0ob3njyo9J0tt1/8yoKEuz9ddxOq4Dp2C3hS2Wb5Xyrj/ rrN8OQrh1gFUC3LzR1YiJcBBYnr3qLsHSSw9zb9sx6dtDKxtEc2Bg9NmcUFR5VXmWkok gtlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738251314; x=1738856114; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E86CcozagmLsYaKrTI35C23FsWAcVJRx2zN2PM6uAWY=; b=gFPH6CTvlqprwzLqgajyJBfhLWXGDxToHc+vsjsLHP1tD1XlCZ8LNjvAzHqFfiBiDr 4ctxQ0amMDP7tj2Er3AhWnHQ0SU9n/1oew8VX28q5+ZFOs2iFU/89zHJQn+l+Y+gB9eK XgqUj7m0cn+Y+ZkKjWvo5mLchhO43OCK4x1WAiftfuvsO3RzeYdO6/ZdjVHLtGnAs5yw DpXGfc0fQOhuYqa9twhCwQVJ1zGoT9xzUXinZaFLrz8GR4GfR+gIdTlLfPCT8ejGNkUO eBxgKM+VAiJMiLK8pRJUrO+kfV/f99ullVWQZOmfKh++3FSSW55CB3v/X8u16msMO6s6 F0Iw== X-Gm-Message-State: AOJu0YzLMe5I1ZjEJqWwbgQkTQQz7j0Xjrorf13KJdTrtwLCRSU63Zf1 wZtXQJZYaE0mFMcbApnOsMxtBAWpzpT90GFS/lNOeCEPjDkT22MEM2pFEvpq3YhDsbEehUfTcx9 07Fc= X-Gm-Gg: ASbGncuXRZ/GvYcUxqNkKmoh/6qJJHe0nnw441tNxiV6PR81inPcfB7TIWi+MPROEcT VaIXB3b+lmqm2SJI3ar/KzoU9sVAElc4Bxu7B0MT1VsBwQCPJN7mr9Ll9Z54a7eMX7YW3e4cWQe 8UESTMzI3T60Y7SZ3bh0afB7aHLJRh0BTSlC0yuJEp8tdMX/6P5s+liyeKeJctoI29uzC6HCPlf RYK4oaK7FP42QKrNS1Gzy04rNOqLMh3MZjAYI1JB32jeqieTJ1Prg9BkFwvidGj4SuHeL1Fx39c iyyg+Lok/Hmugq3Qprl+rZKoj3SWxqK8gAWG+V86U9jyLwx/h2ekxvbbjyG9 X-Google-Smtp-Source: AGHT+IEWpCLU1/4xd6Hv6t2GMKP2hii0HL+IL8Qm+wO4A3BbmazuO1oPvrS0pevmXXQwnvfmg4ZaXg== X-Received: by 2002:a05:6512:3a8e:b0:542:8d45:cb3e with SMTP id 2adb3069b0e04-543e4beb1d2mr2673878e87.18.1738251313788; Thu, 30 Jan 2025 07:35:13 -0800 (PST) Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi. [78.27.76.97]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-543ebebecc3sm186125e87.242.2025.01.30.07.35.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jan 2025 07:35:12 -0800 (PST) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: meta-arm@lists.yoctoproject.org, Mikko Rapeli Subject: [PATCH 2/3] uki.bbclass: capture ukify command stdout and stderr Date: Thu, 30 Jan 2025 17:34:34 +0200 Message-ID: <20250130153435.1074941-2-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250130153435.1074941-1-mikko.rapeli@linaro.org> References: <181F17E3A23753E5.21193@lists.yoctoproject.org> <20250130153435.1074941-1-mikko.rapeli@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jan 2025 15:35:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210450 ukify tool can show important warnings and even errors if it fails so capture the logs. Signed-off-by: Mikko Rapeli --- meta/classes-recipe/uki.bbclass | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/classes-recipe/uki.bbclass b/meta/classes-recipe/uki.bbclass index 92f690526d..ccda042ab4 100644 --- a/meta/classes-recipe/uki.bbclass +++ b/meta/classes-recipe/uki.bbclass @@ -190,6 +190,7 @@ python do_uki() { # Run the ukify command bb.debug(2, "uki: running command: %s" % (ukify_cmd)) - bb.process.run(ukify_cmd, shell=True) + out, err = bb.process.run(ukify_cmd, shell=True) + bb.debug(2, "%s\n%s" % (out, err)) } addtask uki after do_rootfs before do_deploy do_image_complete do_image_wic From patchwork Thu Jan 30 15:34:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 56294 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC81DC0218F for ; Thu, 30 Jan 2025 15:35:30 +0000 (UTC) Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) by mx.groups.io with SMTP id smtpd.web10.18012.1738251322794663433 for ; Thu, 30 Jan 2025 07:35:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=ppJ7r4Ca; spf=pass (domain: linaro.org, ip: 209.85.167.52, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f52.google.com with SMTP id 2adb3069b0e04-5401bd6cdb7so971829e87.2 for ; Thu, 30 Jan 2025 07:35:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1738251321; x=1738856121; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EfJSdWt9g/2yD+nlx0Fs3m2cACLbzLUuleiYYd/sjw4=; b=ppJ7r4Camh3f44gsn5DtY3docYWiYympQOazZSTQ8tUzwVRVpcXSwub0ChaLwJ4gN3 JuX6PuhTpF2WtL1itRfHjFK+/VrBDlj0pZjY5rAeIXG4TFuo6uvwPeM+w0wYTZ5zSC1a WLzY7MzODul22pLtGUv32xkKoQevLWNRlClZlsCoG9mSqlI7xBNizxku8w6ThYzzCbJN Hv277OEpW+baRfy8UHyZkTXbZvOf4oJljBQzwBmRLLwWEg/MIG4roAKszBJMs4e64W7o dEdxAi6l31FMQ6JbXi4m286J5v+m9t+a470HbEJhVIKj6P4XlwLtdw98ic/2gurxGXUb XlbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738251321; x=1738856121; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EfJSdWt9g/2yD+nlx0Fs3m2cACLbzLUuleiYYd/sjw4=; b=oCRlfKQ5Uhc/E5toZxWqJYYf9G5pwhq2j46TRgH1c2VpMdRT4e3hMB+91lSlRosaAY yYEOd/yg34aqtGzg5p2gi4y3UcUmfFPnOYJNBrrIQjXSKP/xcUO0eOhmK6JITVTPo7fV 0PCfRZ+uQjPOWmgBrvtzpdbuS6Zt5NRe7Wd04g+IvSDqABXt2NC7ew+AWbv06Vo//9up Wf8yJoEQk2fOJNnMZelE7n/P+pk6jPsVCr1DuQc54rmGP0L96iW3TRAcRHtYkwEgGa3Z juMC5/q1BYQEWzSh7fsC8dI2sBlCm/PGTMkGgvCjWZlczEZQo/CFsTbDivPWTk+EE+KB 6uyg== X-Gm-Message-State: AOJu0YwdMzY+0i4efPyfLD9gOKTzXDuNahnXskzY5WG22+WNW60w+J81 YOrU59caj7BcsuExOeY/wPZ3NDjzGLjfJ23eN3cnleYYL9cSuPROZVkkbPLCbK9L6QDozG/3yag sGLw= X-Gm-Gg: ASbGncvXy5mkGiyXbuOtnP0uuEHw97AhfHIua2wjiQyllsyGFrBJOJlJQP3W8ioJr2C BT49FOqOvPohq7Ct5HNtjfSVJPjRS194yq8OZsWxMUJMZ53SoRt+xBIMsLB/6WPrdGqJ/kjz8eZ Hmog7TSjESQSX2i91fY806hIADBzC8s5YVTVVwMLt3ZzSPiqB/etU29AwWhHsoS2VWEiKJcht+b TRkg4xVLOPosLMIeVs4Z2Qhz3VJz/u+7Uo9Xp5TwTGSMQZey7/abGKOfyaLb5fq3LvuUngTbhbd sGJlTVxlqGVNUBerYs6y1sfdEzdiqSg60iBgPwaSO2Jdhp3suSRwibXbJMXb X-Google-Smtp-Source: AGHT+IGDClsCzYjnk84oe9miG17cHHO4EqJvUqn4k490ZQHJW7c22uLGGk5NmE3zsIJ5nxXZvPfBgg== X-Received: by 2002:a05:6512:239e:b0:540:358e:36b9 with SMTP id 2adb3069b0e04-543e4c36d3fmr3036290e87.45.1738251320905; Thu, 30 Jan 2025 07:35:20 -0800 (PST) Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi. [78.27.76.97]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-543ebebecc3sm186125e87.242.2025.01.30.07.35.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jan 2025 07:35:19 -0800 (PST) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: meta-arm@lists.yoctoproject.org, Mikko Rapeli , Jon Mason Subject: [PATCH 3/3] systemd-boot-native: fix kernel signature for secureboot Date: Thu, 30 Jan 2025 17:34:35 +0200 Message-ID: <20250130153435.1074941-3-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250130153435.1074941-1-mikko.rapeli@linaro.org> References: <181F17E3A23753E5.21193@lists.yoctoproject.org> <20250130153435.1074941-1-mikko.rapeli@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jan 2025 15:35:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210451 systemd update from 256 to 257 broke kernel secureboot signatures inside signed UKI files with u-boot based UEFI firmware, e.g. meta-arm and qemuarm64-secureboot machine config and secureboot: $ cd meta-arm $ kas build ci/poky.yml:ci/qemuarm64-secureboot.yml:ci/uefi-secureboot.yml:ci/testimage.yml systemd-boot itself is secureboot signed and verified by firmware. Same for the UKI file which combines kernel, initramfs etc. Then kernel from UKI is additionally executed using UEFI firmware calls which check signatures so the kernel binary inside signed UKI needs to be signed with same keys too. PE file padding added to systemd ukify in 257 release broke kernel signature validation for u-boot and sbsign/sbverify tools. EDK2 based firmware like OVMF may not be affected because systemd-boot is able to disable signature checking after a signed UKI has been loaded. This feature is not supported by u-boot. Upstream systemd bug report: https://github.com/systemd/systemd/issues/35851 This patch proposed to upstream in: https://github.com/systemd/systemd/pull/36225 systemd upstream may not like this revert and would prefer alternative, possibly more intrusive changes instead, e.g. to UEFI firmware implementations, sbsign/sbverify tooling or systemd-boot, but this ukify revert is simpler for us systemd users for now. Cc: Jon Mason Cc: meta-arm@lists.yoctoproject.org Signed-off-by: Mikko Rapeli --- .../systemd/systemd-boot-native_257.1.bb | 3 ++ ...y.py-disable-virtual-size-for-kernel.patch | 39 +++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch diff --git a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb index 5b4b63c294..22ac5c96cc 100644 --- a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb +++ b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb @@ -1,4 +1,7 @@ require systemd.inc +FILESEXTRAPATHS =. "${FILE_DIRNAME}/systemd:" + +SRC_URI += "file://0001-ukify.py-disable-virtual-size-for-kernel.patch" inherit native diff --git a/meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch b/meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch new file mode 100644 index 0000000000..ddf53f01c7 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch @@ -0,0 +1,39 @@ +From cb869363ed84bcdd84c44781bc7f74ac027f9a9e Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli +Date: Thu, 30 Jan 2025 11:33:38 +0000 +Subject: [PATCH] ukify.py: disable virtual size for kernel + +Adding padding to kernel breaks secure boot signature +for u-boot based UEFI firmware and sbverify tooling. + +Workaround for https://github.com/systemd/systemd/issues/35851 + +Signed-off-by: Mikko Rapeli +--- + src/ukify/ukify.py | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/36225] + +diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py +index 5f821297c1..08ba800b44 100755 +--- a/src/ukify/ukify.py ++++ b/src/ukify/ukify.py +@@ -1238,12 +1238,8 @@ def make_uki(opts: UkifyConfig) -> None: + uki.add_section(section) + + if linux is not None: +- try: +- virtual_size = pefile.PE(linux, fast_load=True).OPTIONAL_HEADER.SizeOfImage +- except pefile.PEFormatError: +- print(f'{linux} is not a valid PE file, not using SizeOfImage.') +- virtual_size = None +- ++ # Padding breaks signature for kernel https://github.com/systemd/systemd/issues/35851 ++ virtual_size = None + uki.add_section(Section.create('.linux', linux, measure=True, virtual_size=virtual_size)) + + # Don't add a sbat section to profile PE binaries. +-- +2.43.0 +