From patchwork Thu Jan 30 15:34:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 56295 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE15BC0218F for ; Thu, 30 Jan 2025 15:35:10 +0000 (UTC) Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) by mx.groups.io with SMTP id smtpd.web11.18075.1738251303960063299 for ; Thu, 30 Jan 2025 07:35:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=yVwK9eRl; spf=pass (domain: linaro.org, ip: 209.85.167.48, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f48.google.com with SMTP id 2adb3069b0e04-540215984f0so1044049e87.1 for ; Thu, 30 Jan 2025 07:35:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1738251302; x=1738856102; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=STJc855sjRAF2XD9UzVhClu2/kemU5PH8qtCoSz8MMs=; b=yVwK9eRlbyBG6F1799kNRsJImAhzOP49gxPeQgwdnRk94VARAi4aXlQoRlvf6sDdF4 gEkK/bXk2vFhSvk1RQnFrv3f2TZkyxxq+gF+DW1NITiiL5LaA3Z1/NeKDyozHHF+/Li8 N4DdaecXPuHXzhXPvYCJ0/3EYkfjbXcrDwTXF1bvModGTREx2XU8ah6UIJmdGS3U4al4 gS3RGYpG0lAn25WIxG0cBjjHcKmt2MODEsEwNpDi+sFD9tS2/PNWTfbBJqIdruqJIPoJ dMGqDmdjSOGYYWCeCfbwWzj9cLp6Zzxd2Ykf7y6woADAXtlR+qN/mFibr/PnQJtlwTPw i9LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738251302; x=1738856102; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=STJc855sjRAF2XD9UzVhClu2/kemU5PH8qtCoSz8MMs=; b=VSiGxrf+1z2RZ5pHE3txZvR38uG32VLmTiYhj39Cv842fvBGJnUpdnPQsZ73ccy0zd dmrCFCRf7PYxGxRqUqwivaJauAItAov3ZrTwUk3TYh3TqqFAcIOHflIJ+YGbITtjKb4u hNWAi0Gy1J1uJFloyenLfHy/c7ImrI/y5N7ygv0kFDtBHUw4V3NW1i+GmVt4hY154F7V zI4uVGCq+4amwITyrK89r8TZD65SvgS5hDc6xg4V1r4+Dzr+8zCAWueoXunlQRYYp17K f82QZHPgOK5Ydy/SRIE6/IF5BJ8C46dfxAqg95fqVhGSZzQk5w4Cshydd2EwseJEr0OJ 6MzA== X-Gm-Message-State: AOJu0Yxg4UmJ2Ao1XT7K8t4n3yKowS/NOETEm/hACbHpozxghLO+9Pdd Cfuzs8UNCA0aj0tnmlHdLRYxODiBf/MG4IM/nfAPundGhg1c6vBYv+AAC1cJ7IM= X-Gm-Gg: ASbGncthxmvUm37V2AVP9JUYuRwNEpbXjLgnPIq3Ir/WKoX04enQPvK7oQO0osQ8fKe A5YC6iji0/P3Du67VXLyO3elSdS3FozbCAmM38WKkBaJb9i5/qdCP0/28AFqmt4bMc0L8Nm04Vw mArRDTPzg/TD6NaqaCC+OwOJ2riWRcvWOkvXEPj0mdFaPRi8okg/SeoTmgi9A76SjPolcsJKPbb PGcGzvY8S0nwYGvHky7ucnqW8QTS8rShX/BPztU+/UPCi3Ak3mzd3hYfBFM8AP1URU9ZoioK8Nu Cvv/w6q0Hzv6Xu9YmaCJMqasmcAQG00PKQTyRT/RB9s10/YsJHi1RN5J2poz X-Google-Smtp-Source: AGHT+IHgkmGjOB3O+cjTK4w1rHwRsHs90fQDPtqMFRkAThMeV141H4QCMIbzqrc5tZEWaVW/qRj1Pg== X-Received: by 2002:a05:6512:3409:b0:540:1b7e:7b3d with SMTP id 2adb3069b0e04-543e4c37a7emr2767687e87.36.1738251301779; Thu, 30 Jan 2025 07:35:01 -0800 (PST) Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi. [78.27.76.97]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-543ebebecc3sm186125e87.242.2025.01.30.07.35.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jan 2025 07:35:01 -0800 (PST) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: meta-arm@lists.yoctoproject.org, Mikko Rapeli Subject: [PATCH 1/3] systemd-boot-native: undelete but disable configure and compile tasks Date: Thu, 30 Jan 2025 17:34:33 +0200 Message-ID: <20250130153435.1074941-1-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <181F17E3A23753E5.21193@lists.yoctoproject.org> References: <181F17E3A23753E5.21193@lists.yoctoproject.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jan 2025 15:35:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6360 The tasks were deleted and do_patch() was run after do_install() which means that patches applied in SRC_URI were not in the ukify.py binary installed. Mark the tasks as noexec since they don't need to do anything. Signed-off-by: Mikko Rapeli --- meta/recipes-core/systemd/systemd-boot-native_257.1.bb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb index 58db408dcf..5b4b63c294 100644 --- a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb +++ b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb @@ -2,13 +2,12 @@ require systemd.inc inherit native -deltask do_configure -deltask do_compile +do_configure[noexec] = "1" +do_compile[noexec] = "1" do_install () { install -Dm 0755 ${S}/src/ukify/ukify.py ${D}${bindir}/ukify } -addtask install after do_unpack PACKAGES = "${PN}" From patchwork Thu Jan 30 15:34:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 56296 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B747AC0218A for ; Thu, 30 Jan 2025 15:35:20 +0000 (UTC) Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) by mx.groups.io with SMTP id smtpd.web11.18078.1738251315665309142 for ; Thu, 30 Jan 2025 07:35:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=ayTLL9c1; spf=pass (domain: linaro.org, ip: 209.85.167.53, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f53.google.com with SMTP id 2adb3069b0e04-5401bd6ccadso959319e87.2 for ; Thu, 30 Jan 2025 07:35:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1738251314; x=1738856114; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=E86CcozagmLsYaKrTI35C23FsWAcVJRx2zN2PM6uAWY=; b=ayTLL9c16fEAypIC8P2b6Nfn7tix/4qFXeY1p78tGE+fR9dlrmj1z8zUE6Dor+qEZW LGa5fiwzHgj5G/1vECa/tWfpDjzYnpvr21PwQPwa1mlU89PY3W/sXZCSgm7ug1k10skj d8H5y+nD4bNRsZ4jCxxTaXPe8RvzKoIz5p9o6B/BsN9PxnlQAZiV0p0ZRPqryd8WAeVi EutRhIc4OkY+X3TcqJ80PkztW2dnWDq7W6EbLDw/6o427RaeDGcRZcpf8fs2/aLO6UJx vaUkVAD/8rTD6OpFYugA3AF121Y9NzT2rVmbcSMnPBP8TBbbal3kO+iheQBl6tnyYDCW vPVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738251314; x=1738856114; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E86CcozagmLsYaKrTI35C23FsWAcVJRx2zN2PM6uAWY=; b=eBdkxLHvlOH/grr0sgbvb8kOh5SgiqF6WDYP0iSxESQ3MUIaZ9ZBfccNOkkqMynMQe b7L4BaKT2YqD9vhzGFQ1FXW6bm0J5gNmS93T1ZlZKWTfAQ6820SKPQL5LDu4C3Rs400i sK1pyncq7ges/ENwsTtVnb9H/cWjvWJqTspUE7VuT9tuHsXRwZs+ZsFoKc8kPr+F0eM6 g1rp2fqRufJmj4O2opnvwRjFzjwyJ6+tXN18mN+YzXiepetahEzR4JTG6Jrz0KfOIBDi 8B1h2Bwug/TKm/8b+PscINMY+XmZbdZ39+qZuxUVswghbTpYu/kBneuI+qmknod+F2GL cvYg== X-Gm-Message-State: AOJu0Yw9ggdiNJnKi73b5xH/Y0JorRrh6YbkvvieTawFFocWkS9trmxv 5QDOg4MZ5PEkyoTcKXG0BJoAO9hgo3UOGePdEiodKiLnFICQg2V088nYKgWX5NM= X-Gm-Gg: ASbGncuORMFiCKYrtMN5bTBqlTjw7o/lq0m9hhN0lGXbZHdx+6I3nLcNjj+tRY+P7X9 9zv8KRSQF9uYpDsqFCAaBEJm7V+BazLgz3J86d8nLUdVQuKUjCukV90SZaU8mnU7ZmsRdhUrD6J wSNHA1sU34SnS3YfxUn6XTTH6/86TTcfPUXFsbypG9MXQtw36w6FBSkQGzzvIYo+tJ4k2NpEgqK 9ofnhHZBagk2COEcN9PhXM8jde4BNA08YojXZjYXuI7sr+uRXQvTTcv8nIL4vUhPjoFCkEOYVT9 dyP+VGL2h+t8em3F4H178zcYJhHYe0PFC6M9J1phpoBplnyyXf7FEREnciDs X-Google-Smtp-Source: AGHT+IEWpCLU1/4xd6Hv6t2GMKP2hii0HL+IL8Qm+wO4A3BbmazuO1oPvrS0pevmXXQwnvfmg4ZaXg== X-Received: by 2002:a05:6512:3a8e:b0:542:8d45:cb3e with SMTP id 2adb3069b0e04-543e4beb1d2mr2673878e87.18.1738251313788; Thu, 30 Jan 2025 07:35:13 -0800 (PST) Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi. [78.27.76.97]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-543ebebecc3sm186125e87.242.2025.01.30.07.35.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jan 2025 07:35:12 -0800 (PST) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: meta-arm@lists.yoctoproject.org, Mikko Rapeli Subject: [PATCH 2/3] uki.bbclass: capture ukify command stdout and stderr Date: Thu, 30 Jan 2025 17:34:34 +0200 Message-ID: <20250130153435.1074941-2-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250130153435.1074941-1-mikko.rapeli@linaro.org> References: <181F17E3A23753E5.21193@lists.yoctoproject.org> <20250130153435.1074941-1-mikko.rapeli@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jan 2025 15:35:20 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6361 ukify tool can show important warnings and even errors if it fails so capture the logs. Signed-off-by: Mikko Rapeli --- meta/classes-recipe/uki.bbclass | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/classes-recipe/uki.bbclass b/meta/classes-recipe/uki.bbclass index 92f690526d..ccda042ab4 100644 --- a/meta/classes-recipe/uki.bbclass +++ b/meta/classes-recipe/uki.bbclass @@ -190,6 +190,7 @@ python do_uki() { # Run the ukify command bb.debug(2, "uki: running command: %s" % (ukify_cmd)) - bb.process.run(ukify_cmd, shell=True) + out, err = bb.process.run(ukify_cmd, shell=True) + bb.debug(2, "%s\n%s" % (out, err)) } addtask uki after do_rootfs before do_deploy do_image_complete do_image_wic From patchwork Thu Jan 30 15:34:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 56297 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC355C0218A for ; Thu, 30 Jan 2025 15:35:30 +0000 (UTC) Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50]) by mx.groups.io with SMTP id smtpd.web10.18013.1738251322866107242 for ; Thu, 30 Jan 2025 07:35:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=Io0oCF5j; spf=pass (domain: linaro.org, ip: 209.85.167.50, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f50.google.com with SMTP id 2adb3069b0e04-5401c52000dso925145e87.3 for ; Thu, 30 Jan 2025 07:35:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1738251321; x=1738856121; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EfJSdWt9g/2yD+nlx0Fs3m2cACLbzLUuleiYYd/sjw4=; b=Io0oCF5jXZqqW+uYxkRCm3IX6ZAQ7y1X7JIM/md8XPx7DBcMAdrS422STXjaZUu/ks iYgTw7a5pDF1aQGQS4YrHgT2gs2Aa5bac5g7ybcp/2Ikz833+ql9Z8sZlGfaRHYsGnTN O6LJNnh9a3r5g+yRurXgniWsSr/U3gsJ0VqUVr815Ckfd39ZqBg6L+LtvK2Ab/JL3WHh cQHNE9hLkpBjcGgX6r6cUJ816H0LnxBRYGeoCQ2Nxhi864amfI8nEqE1mldDOu95Z8e2 za4s1VxgxVpXi/o21uDPwV7mNfXQ4/dF2XGKbqSh5cMHSX2800OIO53taqq/itPmLEad qJJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738251321; x=1738856121; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EfJSdWt9g/2yD+nlx0Fs3m2cACLbzLUuleiYYd/sjw4=; b=FDJzcF156PuhEjvI33eeOhFhW8mBqjD0cFpA2JukasPPls/EW22drmituX+B1ZJw2l ToED8FSNEBJJhxATQLidixj5Z4zNgvAaEqPTXl864Nv/TEdpayTWXbG/kQbmtorJOyBe 3fNkFyH+74S8miTCIu68b3vBKi4SbPXfVAFRZRKKE4Tb9hoH19fCgvMPQuRXsIys0N/I agzNkZ8NV6xOIb027tmxWQbU1SyYfuAewc4Lp37zIfmwQHIrNT6wY5d3vhN+r0HjTnvz SZKOuxFev+yKJBUByQ4R3uv/Oi7VC8yFek//AJ+hG311yPiuflIyqzKbQE2wfY8QSWkl rwCw== X-Gm-Message-State: AOJu0YyK2pwE5nmGVqIhBH5bchCKYPyHbypBsS2siW1QMy5AqbTEsh3A oIxv8dnOPqs+dC733h5Fa73r6KJn/gf+kQKMi9MwFhJQpX8+/KijW2COgj0kEv8= X-Gm-Gg: ASbGncv52B3qhnq+pwxsEz/4VYarwz0M5vzB11s8Rmyv1mmrYiQjvzJ8oaSj3QcMdfr JAQ2J7uv3WGxqJYzFRuLIaqPOImSnsNIDu68GviAf1IECBBtlTnQDIxzZC18tgFTaRXUFggwgXm Datj9wtOTYsBoJbS4mXqyxXLoK3mPUWM+Eh5zuf6rU+GW7PaI95sKdNuU/5VdzjBK7WOrSEUyvX gP3Gc17aki6LczI7XhDuamhbH9buOCkw0Wok1/OaXg8jnnQ65hOQLGDA4H/BkaaVisisDpJo/G5 806mNqYo83S8sOF09Sv13q8hsbTecuxvooCFOG/nrousgMHuvdjpcUip6ara X-Google-Smtp-Source: AGHT+IGDClsCzYjnk84oe9miG17cHHO4EqJvUqn4k490ZQHJW7c22uLGGk5NmE3zsIJ5nxXZvPfBgg== X-Received: by 2002:a05:6512:239e:b0:540:358e:36b9 with SMTP id 2adb3069b0e04-543e4c36d3fmr3036290e87.45.1738251320905; Thu, 30 Jan 2025 07:35:20 -0800 (PST) Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi. [78.27.76.97]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-543ebebecc3sm186125e87.242.2025.01.30.07.35.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jan 2025 07:35:19 -0800 (PST) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: meta-arm@lists.yoctoproject.org, Mikko Rapeli , Jon Mason Subject: [PATCH 3/3] systemd-boot-native: fix kernel signature for secureboot Date: Thu, 30 Jan 2025 17:34:35 +0200 Message-ID: <20250130153435.1074941-3-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250130153435.1074941-1-mikko.rapeli@linaro.org> References: <181F17E3A23753E5.21193@lists.yoctoproject.org> <20250130153435.1074941-1-mikko.rapeli@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Jan 2025 15:35:30 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6362 systemd update from 256 to 257 broke kernel secureboot signatures inside signed UKI files with u-boot based UEFI firmware, e.g. meta-arm and qemuarm64-secureboot machine config and secureboot: $ cd meta-arm $ kas build ci/poky.yml:ci/qemuarm64-secureboot.yml:ci/uefi-secureboot.yml:ci/testimage.yml systemd-boot itself is secureboot signed and verified by firmware. Same for the UKI file which combines kernel, initramfs etc. Then kernel from UKI is additionally executed using UEFI firmware calls which check signatures so the kernel binary inside signed UKI needs to be signed with same keys too. PE file padding added to systemd ukify in 257 release broke kernel signature validation for u-boot and sbsign/sbverify tools. EDK2 based firmware like OVMF may not be affected because systemd-boot is able to disable signature checking after a signed UKI has been loaded. This feature is not supported by u-boot. Upstream systemd bug report: https://github.com/systemd/systemd/issues/35851 This patch proposed to upstream in: https://github.com/systemd/systemd/pull/36225 systemd upstream may not like this revert and would prefer alternative, possibly more intrusive changes instead, e.g. to UEFI firmware implementations, sbsign/sbverify tooling or systemd-boot, but this ukify revert is simpler for us systemd users for now. Cc: Jon Mason Cc: meta-arm@lists.yoctoproject.org Signed-off-by: Mikko Rapeli --- .../systemd/systemd-boot-native_257.1.bb | 3 ++ ...y.py-disable-virtual-size-for-kernel.patch | 39 +++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch diff --git a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb index 5b4b63c294..22ac5c96cc 100644 --- a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb +++ b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb @@ -1,4 +1,7 @@ require systemd.inc +FILESEXTRAPATHS =. "${FILE_DIRNAME}/systemd:" + +SRC_URI += "file://0001-ukify.py-disable-virtual-size-for-kernel.patch" inherit native diff --git a/meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch b/meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch new file mode 100644 index 0000000000..ddf53f01c7 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch @@ -0,0 +1,39 @@ +From cb869363ed84bcdd84c44781bc7f74ac027f9a9e Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli +Date: Thu, 30 Jan 2025 11:33:38 +0000 +Subject: [PATCH] ukify.py: disable virtual size for kernel + +Adding padding to kernel breaks secure boot signature +for u-boot based UEFI firmware and sbverify tooling. + +Workaround for https://github.com/systemd/systemd/issues/35851 + +Signed-off-by: Mikko Rapeli +--- + src/ukify/ukify.py | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/36225] + +diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py +index 5f821297c1..08ba800b44 100755 +--- a/src/ukify/ukify.py ++++ b/src/ukify/ukify.py +@@ -1238,12 +1238,8 @@ def make_uki(opts: UkifyConfig) -> None: + uki.add_section(section) + + if linux is not None: +- try: +- virtual_size = pefile.PE(linux, fast_load=True).OPTIONAL_HEADER.SizeOfImage +- except pefile.PEFormatError: +- print(f'{linux} is not a valid PE file, not using SizeOfImage.') +- virtual_size = None +- ++ # Padding breaks signature for kernel https://github.com/systemd/systemd/issues/35851 ++ virtual_size = None + uki.add_section(Section.create('.linux', linux, measure=True, virtual_size=virtual_size)) + + # Don't add a sbat section to profile PE binaries. +-- +2.43.0 +