From: Ard Biesheuvel <ardb@kernel.org>
To: linux-efi@vger.kernel.org
Cc: keescook@chromium.org, Ard Biesheuvel <ardb@kernel.org>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Peter Jones <pjones@redhat.com>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>,
Palmer Dabbelt <palmer@dabbelt.com>,
Atish Patra <atishp@atishpatra.org>,
Arnd Bergmann <arnd@arndb.de>,
Huacai Chen <chenhuacai@loongson.cn>,
Xi Ruoyao <xry111@xry111.site>,
Lennart Poettering <lennart@poettering.net>,
Jeremy Linton <jeremy.linton@arm.com>,
Will Deacon <will@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>
Subject: [PATCH 04/21] efi: libstub: Remove zboot signing from build options
Date: Mon, 17 Oct 2022 19:16:43 +0200 [thread overview]
Message-ID: <20221017171700.3736890-5-ardb@kernel.org> (raw)
In-Reply-To: <20221017171700.3736890-1-ardb@kernel.org>
The zboot decompressor series introduced a feature to sign the PE/COFF
kernel image for secure boot as part of the kernel build. This was
necessary because there are actually two images that need to be signed:
the kernel with the EFI stub attached, and the decompressor application.
This is a bit of a burden, because it means that the images must be
signed on the the same system that performs the build, and this is not
realistic for distros.
During the next cycle, we will introduce changes to the zboot code so
that the inner image no longer needs to be signed. This means that the
outer PE/COFF image can be handled as usual, and be signed later in the
release process.
Let's remove the associated Kconfig options now so that they don't end
up in a LTS release while already being deprecated.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
drivers/firmware/efi/Kconfig | 22 ---------------
drivers/firmware/efi/libstub/Makefile.zboot | 29 +++-----------------
2 files changed, 4 insertions(+), 47 deletions(-)
diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig
index fceeea74522e..0d5201e49841 100644
--- a/drivers/firmware/efi/Kconfig
+++ b/drivers/firmware/efi/Kconfig
@@ -102,28 +102,6 @@ config EFI_ZBOOT
is supported by the encapsulated image. (The compression algorithm
used is described in the zboot image header)
-config EFI_ZBOOT_SIGNED
- def_bool y
- depends on EFI_ZBOOT_SIGNING_CERT != ""
- depends on EFI_ZBOOT_SIGNING_KEY != ""
-
-config EFI_ZBOOT_SIGNING
- bool "Sign the EFI decompressor for UEFI secure boot"
- depends on EFI_ZBOOT
- help
- Use the 'sbsign' command line tool (which must exist on the host
- path) to sign both the EFI decompressor PE/COFF image, as well as the
- encapsulated PE/COFF image, which is subsequently compressed and
- wrapped by the former image.
-
-config EFI_ZBOOT_SIGNING_CERT
- string "Certificate to use for signing the compressed EFI boot image"
- depends on EFI_ZBOOT_SIGNING
-
-config EFI_ZBOOT_SIGNING_KEY
- string "Private key to use for signing the compressed EFI boot image"
- depends on EFI_ZBOOT_SIGNING
-
config EFI_ARMSTUB_DTB_LOADER
bool "Enable the DTB loader"
depends on EFI_GENERIC_STUB && !RISCV && !LOONGARCH
diff --git a/drivers/firmware/efi/libstub/Makefile.zboot b/drivers/firmware/efi/libstub/Makefile.zboot
index 35f234ad8738..3340b385a05b 100644
--- a/drivers/firmware/efi/libstub/Makefile.zboot
+++ b/drivers/firmware/efi/libstub/Makefile.zboot
@@ -20,22 +20,11 @@ zboot-size-len-y := 4
zboot-method-$(CONFIG_KERNEL_GZIP) := gzip
zboot-size-len-$(CONFIG_KERNEL_GZIP) := 0
-quiet_cmd_sbsign = SBSIGN $@
- cmd_sbsign = sbsign --out $@ $< \
- --key $(CONFIG_EFI_ZBOOT_SIGNING_KEY) \
- --cert $(CONFIG_EFI_ZBOOT_SIGNING_CERT)
-
-$(obj)/$(EFI_ZBOOT_PAYLOAD).signed: $(obj)/$(EFI_ZBOOT_PAYLOAD) FORCE
- $(call if_changed,sbsign)
-
-ZBOOT_PAYLOAD-y := $(EFI_ZBOOT_PAYLOAD)
-ZBOOT_PAYLOAD-$(CONFIG_EFI_ZBOOT_SIGNED) := $(EFI_ZBOOT_PAYLOAD).signed
-
-$(obj)/vmlinuz: $(obj)/$(ZBOOT_PAYLOAD-y) FORCE
+$(obj)/vmlinuz: $(obj)/$(EFI_ZBOOT_PAYLOAD) FORCE
$(call if_changed,$(zboot-method-y))
OBJCOPYFLAGS_vmlinuz.o := -I binary -O $(EFI_ZBOOT_BFD_TARGET) \
- --rename-section .data=.gzdata,load,alloc,readonly,contents
+ --rename-section .data=.gzdata,load,alloc,readonly,contents
$(obj)/vmlinuz.o: $(obj)/vmlinuz FORCE
$(call if_changed,objcopy)
@@ -53,18 +42,8 @@ LDFLAGS_vmlinuz.efi.elf := -T $(srctree)/drivers/firmware/efi/libstub/zboot.lds
$(obj)/vmlinuz.efi.elf: $(obj)/vmlinuz.o $(ZBOOT_DEPS) FORCE
$(call if_changed,ld)
-ZBOOT_EFI-y := vmlinuz.efi
-ZBOOT_EFI-$(CONFIG_EFI_ZBOOT_SIGNED) := vmlinuz.efi.unsigned
-
-OBJCOPYFLAGS_$(ZBOOT_EFI-y) := -O binary
-$(obj)/$(ZBOOT_EFI-y): $(obj)/vmlinuz.efi.elf FORCE
+OBJCOPYFLAGS_vmlinuz.efi := -O binary
+$(obj)/vmlinuz.efi: $(obj)/vmlinuz.efi.elf FORCE
$(call if_changed,objcopy)
targets += zboot-header.o vmlinuz vmlinuz.o vmlinuz.efi.elf vmlinuz.efi
-
-ifneq ($(CONFIG_EFI_ZBOOT_SIGNED),)
-$(obj)/vmlinuz.efi: $(obj)/vmlinuz.efi.unsigned FORCE
- $(call if_changed,sbsign)
-endif
-
-targets += $(EFI_ZBOOT_PAYLOAD).signed vmlinuz.efi.unsigned
--
2.35.1
next prev parent reply other threads:[~2022-10-17 17:17 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-17 17:16 [PATCH 00/21] efi: Combine stub functionality with zboot decompressor Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 01/21] arm64: efi: Move dcache cleaning of loaded image out of efi_enter_kernel() Ard Biesheuvel
2022-10-18 11:27 ` Catalin Marinas
2022-10-18 11:38 ` Ard Biesheuvel
2022-10-18 11:54 ` Catalin Marinas
2022-10-17 17:16 ` [PATCH 02/21] arm64: efi: Avoid dcache_clean_poc() altogether in efi_enter_kernel() Ard Biesheuvel
2022-10-18 11:57 ` Catalin Marinas
2022-10-18 11:59 ` Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 03/21] arm64: efi: Move efi-entry.S into the libstub source directory Ard Biesheuvel
2022-10-18 11:57 ` Catalin Marinas
2022-10-17 17:16 ` Ard Biesheuvel [this message]
2022-10-17 17:16 ` [PATCH 05/21] efi: libstub: Drop randomization of runtime memory map Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 06/21] efi: libstub: Drop handling of EFI properties table Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 07/21] efi: libstub: Deduplicate ftrace command line argument filtering Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 08/21] efi: libstub: Use local strncmp() implementation unconditionally Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 09/21] efi: libstub: Clone memcmp() into the stub Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 10/21] efi: libstub: Enable efi_printk() in zboot decompressor Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 11/21] efi: loongarch: Drop exports of unused string routines Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 12/21] efi: libstub: Move screen_info handling to common code Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 13/21] efi: libstub: Provide local implementations of strrchr() and memchr() Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 14/21] efi: libstub: Factor out EFI stub entrypoint into separate file Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 15/21] efi: libstub: Add image code and data size to the zimage metadata Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 16/21] efi: libstub: Factor out min alignment and preferred kernel load address Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 17/21] efi/riscv: libstub: Split off kernel image relocation for builtin stub Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 18/21] efi/arm64: " Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 19/21] efi/loongarch: Don't jump to kernel entry via the old image Ard Biesheuvel
2022-10-17 17:16 ` [PATCH 20/21] efi/loongarch: libstub: Split off kernel image relocation for builtin stub Ard Biesheuvel
2022-10-17 17:17 ` [PATCH 21/21] efi: libstub: Merge zboot decompressor with the ordinary stub Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221017171700.3736890-5-ardb@kernel.org \
--to=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=atishp@atishpatra.org \
--cc=catalin.marinas@arm.com \
--cc=chenhuacai@loongson.cn \
--cc=ilias.apalodimas@linaro.org \
--cc=jeremy.linton@arm.com \
--cc=keescook@chromium.org \
--cc=lennart@poettering.net \
--cc=linux-efi@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=palmer@dabbelt.com \
--cc=pjones@redhat.com \
--cc=will@kernel.org \
--cc=xry111@xry111.site \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.