[PATCH] systemd-boot: update systemd-bootaarch64.efi path

[PATCH] systemd-boot: update systemd-bootaarch64.efi path

[Mikko Rapeli]

poky updated systemd from 256 to 257 which changed
the build time path.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
index 84196a68..9d72dac5 100644
--- a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
+++ b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
@@ -1,6 +1,6 @@
 inherit sbsign
 
-SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi"
+SBSIGN_TARGET_BINARY = "${B}/src/boot/systemd-boot${EFI_ARCH}.efi"
 
 do_compile:append() {
     do_sbsign
-- 
2.43.0

Re: [meta-arm] [PATCH] systemd-boot: update systemd-bootaarch64.efi path

[Jon Mason]

On Mon, Jan 27, 2025 at 7:24 AM Mikko Rapeli via
lists.yoctoproject.org
<mikko.rapeli=linaro.org@lists.yoctoproject.org> wrote:
>
> poky updated systemd from 256 to 257 which changed
> the build time path.
>
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>

I tried this out a couple weeks ago.
https://gitlab.com/jonmason00/meta-arm/-/jobs/8885513336
Essentially, systemd changed more than just the location.  It changed
UKI fairly significantly, and that is failing to generate an
authenticated image.
I was able to bisect it to the systemd commit
https://github.com/systemd/systemd/commit/2188c759f97e40b97ebe3e94e82239f36b525b10

I ran out of time to bug this further, and meant to email you with the above.

I'm hesitant to apply a patch that doesn't fully resolve the issue
(though Ross might have a different opinion).  So, if you can manage
to fix the systemd UKI issue, I'd be willing to take it then.

Thanks,
Jon

> ---
>  meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
> index 84196a68..9d72dac5 100644
> --- a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
> +++ b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
> @@ -1,6 +1,6 @@
>  inherit sbsign
>
> -SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi"
> +SBSIGN_TARGET_BINARY = "${B}/src/boot/systemd-boot${EFI_ARCH}.efi"
>
>  do_compile:append() {
>      do_sbsign
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6350): https://lists.yoctoproject.org/g/meta-arm/message/6350
> Mute This Topic: https://lists.yoctoproject.org/mt/110835165/3616920
> Group Owner: meta-arm+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [jdmason@kudzu.us]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [meta-arm] [PATCH] systemd-boot: update systemd-bootaarch64.efi path

[Mikko Rapeli]

Hi,

On Tue, Jan 28, 2025 at 03:33:28PM +0000, Jon Mason wrote:
> On Mon, Jan 27, 2025 at 7:24 AM Mikko Rapeli via
> lists.yoctoproject.org
> <mikko.rapeli=linaro.org@lists.yoctoproject.org> wrote:
> >
> > poky updated systemd from 256 to 257 which changed
> > the build time path.
> >
> > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> 
> I tried this out a couple weeks ago.
> https://gitlab.com/jonmason00/meta-arm/-/jobs/8885513336
> Essentially, systemd changed more than just the location.  It changed
> UKI fairly significantly, and that is failing to generate an
> authenticated image.
> I was able to bisect it to the systemd commit
> https://github.com/systemd/systemd/commit/2188c759f97e40b97ebe3e94e82239f36b525b10
> 
> I ran out of time to bug this further, and meant to email you with the above.
> 
> I'm hesitant to apply a patch that doesn't fully resolve the issue
> (though Ross might have a different opinion).  So, if you can manage
> to fix the systemd UKI issue, I'd be willing to take it then.

Ok I will have a look. oe-core has pretty good selftests for uki.bbclass and
systemd-boot so I would have expected them to catch major regressions, apart
from secureboot which is the addition to them in meta-arm.

Cheers,

-Mikko

> Thanks,
> Jon
> 
> > ---
> >  meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
> > index 84196a68..9d72dac5 100644
> > --- a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
> > +++ b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
> > @@ -1,6 +1,6 @@
> >  inherit sbsign
> >
> > -SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi"
> > +SBSIGN_TARGET_BINARY = "${B}/src/boot/systemd-boot${EFI_ARCH}.efi"
> >
> >  do_compile:append() {
> >      do_sbsign
> > --
> > 2.43.0
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#6350): https://lists.yoctoproject.org/g/meta-arm/message/6350
> > Mute This Topic: https://lists.yoctoproject.org/mt/110835165/3616920
> > Group Owner: meta-arm+owner@lists.yoctoproject.org
> > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [jdmason@kudzu.us]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >

Re: [meta-arm] [PATCH] systemd-boot: update systemd-bootaarch64.efi path

[Mikko Rapeli]

Hi,

On Wed, Jan 29, 2025 at 09:03:59AM +0200, Mikko Rapeli via lists.yoctoproject.org wrote:
> Hi,
> 
> On Tue, Jan 28, 2025 at 03:33:28PM +0000, Jon Mason wrote:
> > On Mon, Jan 27, 2025 at 7:24 AM Mikko Rapeli via
> > lists.yoctoproject.org
> > <mikko.rapeli=linaro.org@lists.yoctoproject.org> wrote:
> > >
> > > poky updated systemd from 256 to 257 which changed
> > > the build time path.
> > >
> > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > 
> > I tried this out a couple weeks ago.
> > https://gitlab.com/jonmason00/meta-arm/-/jobs/8885513336
> > Essentially, systemd changed more than just the location.  It changed
> > UKI fairly significantly, and that is failing to generate an
> > authenticated image.
> > I was able to bisect it to the systemd commit
> > https://github.com/systemd/systemd/commit/2188c759f97e40b97ebe3e94e82239f36b525b10
> > 
> > I ran out of time to bug this further, and meant to email you with the above.
> > 
> > I'm hesitant to apply a patch that doesn't fully resolve the issue
> > (though Ross might have a different opinion).  So, if you can manage
> > to fix the systemd UKI issue, I'd be willing to take it then.
> 
> Ok I will have a look. oe-core has pretty good selftests for uki.bbclass and
> systemd-boot so I would have expected them to catch major regressions, apart
> from secureboot which is the addition to them in meta-arm.

FYI: discussion and analysis is happening in upstream systemd bugreport
https://github.com/systemd/systemd/issues/35851

Cheers,

-Mikko

[PATCH 1/3] systemd-boot-native: undelete but disable configure and compile tasks

[Mikko Rapeli]

The tasks were deleted and do_patch() was run after do_install()
which means that patches applied in SRC_URI were not in the
ukify.py binary installed. Mark the tasks as noexec since
they don't need to do anything.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta/recipes-core/systemd/systemd-boot-native_257.1.bb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb
index 58db408dcf..5b4b63c294 100644
--- a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb
+++ b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb
@@ -2,13 +2,12 @@ require systemd.inc
 
 inherit native
 
-deltask do_configure
-deltask do_compile
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
 
 do_install () {
        install -Dm 0755 ${S}/src/ukify/ukify.py ${D}${bindir}/ukify
 }
-addtask install after do_unpack
 
 PACKAGES = "${PN}"
 
-- 
2.43.0

[PATCH 2/3] uki.bbclass: capture ukify command stdout and stderr

[Mikko Rapeli]

ukify tool can show important warnings and even errors
if it fails so capture the logs.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta/classes-recipe/uki.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes-recipe/uki.bbclass b/meta/classes-recipe/uki.bbclass
index 92f690526d..ccda042ab4 100644
--- a/meta/classes-recipe/uki.bbclass
+++ b/meta/classes-recipe/uki.bbclass
@@ -190,6 +190,7 @@ python do_uki() {
 
     # Run the ukify command
     bb.debug(2, "uki: running command: %s" % (ukify_cmd))
-    bb.process.run(ukify_cmd, shell=True)
+    out, err = bb.process.run(ukify_cmd, shell=True)
+    bb.debug(2, "%s\n%s" % (out, err))
 }
 addtask uki after do_rootfs before do_deploy do_image_complete do_image_wic
-- 
2.43.0

[PATCH 3/3] systemd-boot-native: fix kernel signature for secureboot

[Mikko Rapeli]

systemd update from 256 to 257 broke kernel secureboot signatures
inside signed UKI files with u-boot based UEFI firmware, e.g.
meta-arm and qemuarm64-secureboot machine config and secureboot:

$ cd meta-arm
$ kas build ci/poky.yml:ci/qemuarm64-secureboot.yml:ci/uefi-secureboot.yml:ci/testimage.yml

systemd-boot itself is secureboot signed and verified by firmware.
Same for the UKI file which combines kernel, initramfs etc.
Then kernel from UKI is additionally executed using UEFI firmware calls
which check signatures so the kernel binary inside signed UKI
needs to be signed with same keys too. PE file padding added
to systemd ukify in 257 release broke kernel signature validation
for u-boot and sbsign/sbverify tools. EDK2 based firmware like
OVMF may not be affected because systemd-boot is able to disable
signature checking after a signed UKI has been loaded. This feature
is not supported by u-boot.

Upstream systemd bug report:

https://github.com/systemd/systemd/issues/35851

This patch proposed to upstream in:

https://github.com/systemd/systemd/pull/36225

systemd upstream may not like this revert and would prefer
alternative, possibly more intrusive changes instead, e.g. to
UEFI firmware implementations, sbsign/sbverify tooling or
systemd-boot, but this ukify revert is simpler for us
systemd users for now.

Cc: Jon Mason <jdmason@kudzu.us>
Cc: meta-arm@lists.yoctoproject.org
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 .../systemd/systemd-boot-native_257.1.bb      |  3 ++
 ...y.py-disable-virtual-size-for-kernel.patch | 39 +++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch

diff --git a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb
index 5b4b63c294..22ac5c96cc 100644
--- a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb
+++ b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb
@@ -1,4 +1,7 @@
 require systemd.inc
+FILESEXTRAPATHS =. "${FILE_DIRNAME}/systemd:"
+
+SRC_URI += "file://0001-ukify.py-disable-virtual-size-for-kernel.patch"
 
 inherit native
 
diff --git a/meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch b/meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch
new file mode 100644
index 0000000000..ddf53f01c7
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch
@@ -0,0 +1,39 @@
+From cb869363ed84bcdd84c44781bc7f74ac027f9a9e Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Thu, 30 Jan 2025 11:33:38 +0000
+Subject: [PATCH] ukify.py: disable virtual size for kernel
+
+Adding padding to kernel breaks secure boot signature
+for u-boot based UEFI firmware and sbverify tooling.
+
+Workaround for https://github.com/systemd/systemd/issues/35851
+
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+---
+ src/ukify/ukify.py | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/36225]
+
+diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
+index 5f821297c1..08ba800b44 100755
+--- a/src/ukify/ukify.py
++++ b/src/ukify/ukify.py
+@@ -1238,12 +1238,8 @@ def make_uki(opts: UkifyConfig) -> None:
+         uki.add_section(section)
+ 
+     if linux is not None:
+-        try:
+-            virtual_size = pefile.PE(linux, fast_load=True).OPTIONAL_HEADER.SizeOfImage
+-        except pefile.PEFormatError:
+-            print(f'{linux} is not a valid PE file, not using SizeOfImage.')
+-            virtual_size = None
+-
++        # Padding breaks signature for kernel https://github.com/systemd/systemd/issues/35851
++        virtual_size = None
+         uki.add_section(Section.create('.linux', linux, measure=True, virtual_size=virtual_size))
+ 
+     # Don't add a sbat section to profile PE binaries.
+-- 
+2.43.0
+
-- 
2.43.0

Re: [meta-arm] [PATCH] systemd-boot: update systemd-bootaarch64.efi path

[Mikko Rapeli]

Hi,

On Wed, Jan 29, 2025 at 04:46:02PM +0200, Mikko Rapeli via lists.yoctoproject.org wrote:
> On Wed, Jan 29, 2025 at 09:03:59AM +0200, Mikko Rapeli via lists.yoctoproject.org wrote:
> > On Tue, Jan 28, 2025 at 03:33:28PM +0000, Jon Mason wrote:
> > > On Mon, Jan 27, 2025 at 7:24 AM Mikko Rapeli via
> > > lists.yoctoproject.org
> > > <mikko.rapeli=linaro.org@lists.yoctoproject.org> wrote:
> > > >
> > > > poky updated systemd from 256 to 257 which changed
> > > > the build time path.
> > > >
> > > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > > 
> > > I tried this out a couple weeks ago.
> > > https://gitlab.com/jonmason00/meta-arm/-/jobs/8885513336
> > > Essentially, systemd changed more than just the location.  It changed
> > > UKI fairly significantly, and that is failing to generate an
> > > authenticated image.
> > > I was able to bisect it to the systemd commit
> > > https://github.com/systemd/systemd/commit/2188c759f97e40b97ebe3e94e82239f36b525b10
> > > 
> > > I ran out of time to bug this further, and meant to email you with the above.
> > > 
> > > I'm hesitant to apply a patch that doesn't fully resolve the issue
> > > (though Ross might have a different opinion).  So, if you can manage
> > > to fix the systemd UKI issue, I'd be willing to take it then.
> > 
> > Ok I will have a look. oe-core has pretty good selftests for uki.bbclass and
> > systemd-boot so I would have expected them to catch major regressions, apart
> > from secureboot which is the addition to them in meta-arm.
> 
> FYI: discussion and analysis is happening in upstream systemd bugreport
> https://github.com/systemd/systemd/issues/35851

I've sent a proposal to fix/workaround this regression to poky/oe-core.
Once that goes in and this patch is applied in meta-arm, then
qemuarm64-secureboot and uefi-secureboot work and all tests pass. Used this build
config which also runs the tests:

$ kas build ci/poky.yml:ci/qemuarm64-secureboot.yml:ci/uefi-secureboot.yml:ci/testimage.yml

Cheers,

-Mikko