[PATCH v1 0/7] qemuarm64-secureboot: Enable UEFI Secure Boot

[PATCH v1 0/7] qemuarm64-secureboot: Enable UEFI Secure Boot

[Javier Tia]

Hi all,

Addressing your comments from first patch [0].

A backport from meta-ts with the minimal changes to add UEFI Secure Boot
into qemuarm64-secureboot machine.

Requirements:

  - Create a UEFI disk partition to copy EFI apps.

  - Add UEFI settings to U-Boot, Grub, and Linux kernel.

  - UEFI keys to be storaged in U-Boot and used to sign Grub and Linux
    kernel images.

  - A Grub patch has been implemented to prevent an error from being
    returned for a deferred image. It is still pending acceptance
    upstream.

Optional:

  - Add systemd as Init manager to auto-mount efivarfs.

Introduces uefi-secureboot machine feature.

Ideally, these changes would be submitted to meta-secure-core, but the
code currently doesn't support ARM.

UEFI keys must be provided in order to be added in U-Boot, sign Grub EFI
app and Linux kernel image. A script is provided to generate UEFI keys.

Build and verification steps:

$ kas build ci/qemuarm64-secureboot.yml

$ kas shell ci/qemuarm64-secureboot.yml -c 'runqemu nographic novga slirp'

Log in as root/toor:

$ efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot
1

[0] https://lists.yoctoproject.org/g/meta-arm/message/5891

---

Changes since the v0:
- Remove u-boot recipe.
- Split the change in several commits.
- Remove sample UEFI keys.
- Validate UEFI keys exist before building.
- Insolate most of changes under uefi-secureboot machine feature.

Javier Tia (7):
  qemuarm64-secureboot: Add poky machine UEFI settings
  qemuarm64-secureboot: Introduce UEFI_SB_KEYS_DIR
  qemuarm64-secureboot: Validate UEFI keys exist
  qemuarm64-secureboot: Setup UEFI and Secure Boot in u-boot
  qemuarm64-secureboot: Setup UEFI grub and sign EFI grub binary
  qemuarm64-secureboot: Setup UEFI linux-yocto and sign kernel image
  qemuarm64-secureboot: Add UEFI systemd support

 ci/qemuarm64-secureboot.yml                   | 12 +++--
 .../core-image-base-uefi-secureboot.inc       | 23 +++++++++
 .../images/core-image-base.bbappend           |  1 +
 .../u-boot/u-boot-qemuarm64-secureboot.inc    | 18 +++++++
 .../qemuarm64-secureboot.cfg                  | 10 ++++
 .../recipes-bsp/u-boot/u-boot_%.bbappend      |  1 +
 meta-arm/classes/uefi-sb-keys.bbclass         | 24 ++++++++++
 meta-arm/conf/layer.conf                      |  2 +
 .../conf/machine/qemuarm64-secureboot.conf    |  3 ++
 ...on-t-return-error-for-deferred-image.patch | 48 +++++++++++++++++++
 .../recipes-bsp/grub/files/grub-initial.cfg   |  8 ++++
 .../grub/grub-efi-uefi-secureboot.inc         | 40 ++++++++++++++++
 meta-arm/recipes-bsp/grub/grub-efi_%.bbappend |  1 +
 .../systemd/systemd-uefi-secureboot.inc       |  1 +
 .../recipes-core/systemd/systemd_%.bbappend   |  1 +
 .../linux/linux-yocto%.bbappend               |  2 +
 .../linux/linux-yocto-uefi-secureboot.inc     | 18 +++++++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 35 ++++++++++++++
 18 files changed, 243 insertions(+), 5 deletions(-)
 create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg
 create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
 create mode 100644 meta-arm/recipes-bsp/grub/files/0001-verifiers-Don-t-return-error-for-deferred-image.patch
 create mode 100644 meta-arm/recipes-bsp/grub/files/grub-initial.cfg
 create mode 100644 meta-arm/recipes-bsp/grub/grub-efi-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-bsp/grub/grub-efi_%.bbappend
 create mode 100644 meta-arm/recipes-core/systemd/systemd-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
 create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh

-- 
2.45.2

[PATCH v1 1/7] qemuarm64-secureboot: Add poky machine UEFI settings

[Javier Tia]

- Introduce uefi-secureboot poky machine feature.

- Replace qemuarm64.wks with efi-disk-no-swap.wks.in disk definition to
  add expected UEFI disk partitions configuration.

- Enable poky machine feature and grub UEFI support.

- Remove hard-coded root partition as it will be detected based on GUID
  part.

- Use systemd as Init manager to auto-mount efivarfs required by efivar.

- Install additional userspace software required by Linux kernel and
  systemd.

- Set root password.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../core-image-base-uefi-secureboot.inc       | 21 +++++++++++++++++++
 .../images/core-image-base.bbappend           |  1 +
 .../conf/machine/qemuarm64-secureboot.conf    |  3 +++
 3 files changed, 25 insertions(+)
 create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
new file mode 100644
index 00000000..9f20e3f4
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -0,0 +1,21 @@
+# Detected by passing kernel parameter
+QB_KERNEL_ROOT = ""
+
+# kernel is in the image, should not be loaded separately
+QB_DEFAULT_KERNEL = "none"
+
+KERNEL_IMAGETYPE = "Image"
+
+WKS_FILE = "efi-disk-no-swap.wks.in"
+
+MACHINE_FEATURES += "efi"
+
+EFI_PROVIDER = "grub-efi"
+IMAGE_INSTALL += "grub-efi"
+
+IMAGE_INSTALL += "systemd util-linux bash coreutils efivar"
+
+inherit extrausers
+EXTRA_IMAGE_FEATURES += "allow-root-login"
+# Set the root password to toor
+EXTRA_USERS_PARAMS += "usermod -p '\$6\$cnS1MQVd07.jLdkj\$NgXwgR.LWtbi4qD3Drn6x0AQtVtX/CdfKPy1eJzuUC0YdD8s54fLAlsLm8vaoacAoqq6BHYGTAbUnAUNJKTOb1' root;"
diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend b/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend
new file mode 100644
index 00000000..1f6dbd24
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'core-image-base-uefi-secureboot.inc', '', d)}
\ No newline at end of file
diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
index 78a39c03..27581941 100644
--- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -22,3 +22,6 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
 
 MACHINE_FEATURES += "optee-ftpm"
+MACHINE_FEATURES += "uefi-secureboot"
+
+INIT_MANAGER = "systemd"
\ No newline at end of file
-- 
2.45.2

[PATCH v1 2/7] qemuarm64-secureboot: Introduce UEFI_SB_KEYS_DIR

[Javier Tia]

UEFI_SB_KEYS_DIR saves UEFI keys path.

To avoid security issues, UEFI keys are not provided and they can be
generated by gen_uefi_keys.sh script.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/conf/layer.conf               |  2 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh

diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf
index 9e9c9dbd..2854dd69 100644
--- a/meta-arm/conf/layer.conf
+++ b/meta-arm/conf/layer.conf
@@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet"
 addpylib ${LAYERDIR}/lib oeqa
 
 WARN_QA:append:layer-meta-arm = " patch-status"
+
+UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"
\ No newline at end of file
diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
new file mode 100755
index 00000000..fc7f25c9
--- /dev/null
+++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
@@ -0,0 +1,35 @@
+#/bin/sh
+
+set -eux
+
+#Create PK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+
+#Create KEK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
+sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+
+#Create DB
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
+
+#Create DBX
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
+
+#Sign image
+#sbsign --key db.key --cert db.crt Image
+
+#Digest image
+#hash-to-efi-sig-list Image db_Image.hash
+#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
+
+#Empty cert for testing
+touch noPK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
+
-- 
2.45.2

[PATCH v1 3/7] qemuarm64-secureboot: Validate UEFI keys exist

[Javier Tia]

Without UEFI keys, signing will fail and UEFI Secure Boot will be
disabled.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../core-image-base-uefi-secureboot.inc       |  2 ++
 meta-arm/classes/uefi-sb-keys.bbclass         | 24 +++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index 9f20e3f4..4ab3ecf9 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -1,3 +1,5 @@
+inherit uefi-sb-keys
+
 # Detected by passing kernel parameter
 QB_KERNEL_ROOT = ""
 
diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass
new file mode 100644
index 00000000..e800b4c6
--- /dev/null
+++ b/meta-arm/classes/uefi-sb-keys.bbclass
@@ -0,0 +1,24 @@
+# Validate UEFI keys
+python __anonymous () {
+    if d.getVar("UEFI_SB_KEYS_DIR", False) is None:
+        raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.")
+
+    # keys used for UEFI secure boot
+    uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR")
+
+    keys_to_check = [
+        uefi_sb_keys + "/PK.esl",
+        uefi_sb_keys + "/KEK.esl",
+        uefi_sb_keys + "/dbx.esl",
+        uefi_sb_keys + "/db.esl",
+        uefi_sb_keys + "/db.key",
+        uefi_sb_keys + "/db.crt",
+    ]
+
+    missing_keys = [f for f in keys_to_check if not os.path.exists(f)]
+
+    if missing_keys:
+        raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), )
+            + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys)
+
+}
-- 
2.45.2

[PATCH v1 4/7] qemuarm64-secureboot: Setup UEFI and Secure Boot in u-boot

[Javier Tia]

Add u-boot minimal UEFI definitions. Setup UEFI variables with the keys
previously generated.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../u-boot/u-boot-qemuarm64-secureboot.inc     | 18 ++++++++++++++++++
 .../qemuarm64-secureboot.cfg                   | 10 ++++++++++
 .../recipes-bsp/u-boot/u-boot_%.bbappend       |  1 +
 3 files changed, 29 insertions(+)
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg

diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
new file mode 100644
index 00000000..0a0accd1
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
@@ -0,0 +1,18 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}/${MACHINE}:"
+
+SRC_URI += "file://${MACHINE}.cfg"
+
+UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm"
+UBOOT_ENV_NAME = "qemu-arm.env"
+
+DEPENDS += 'python3-pyopenssl-native'
+
+do_compile:prepend() {
+    export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
+
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk  -d "${UEFI_SB_KEYS_DIR}"/PK.esl  -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db  -d "${UEFI_SB_KEYS_DIR}"/db.esl  -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file
+    "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
+}
diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg
new file mode 100644
index 00000000..d2edb5fb
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg
@@ -0,0 +1,10 @@
+CONFIG_CMD_BOOTMENU=y
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="bootmenu"
+CONFIG_USE_PREBOOT=y
+CONFIG_EFI_VAR_BUF_SIZE=65536
+CONFIG_FIT_SIGNATURE=y
+CONFIG_EFI_SECURE_BOOT=y
+CONFIG_EFI_VARIABLES_PRESEED=y
+CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
+CONFIG_PREBOOT_DEFINED=y
\ No newline at end of file
diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
index 11f332ad..8df993ae 100644
--- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -5,6 +5,7 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc"
 MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc"
 MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc"
 MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc"
+MACHINE_U-BOOT_REQUIRE:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}"
 
 require ${MACHINE_U-BOOT_REQUIRE}
 
-- 
2.45.2

[PATCH v1 5/7] qemuarm64-secureboot: Setup UEFI grub and sign EFI grub binary

[Javier Tia]

meta-secure-core is required because of sbsigntool.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 ci/qemuarm64-secureboot.yml                   | 12 +++--
 ...on-t-return-error-for-deferred-image.patch | 48 +++++++++++++++++++
 .../recipes-bsp/grub/files/grub-initial.cfg   |  8 ++++
 .../grub/grub-efi-uefi-secureboot.inc         | 40 ++++++++++++++++
 meta-arm/recipes-bsp/grub/grub-efi_%.bbappend |  1 +
 5 files changed, 104 insertions(+), 5 deletions(-)
 create mode 100644 meta-arm/recipes-bsp/grub/files/0001-verifiers-Don-t-return-error-for-deferred-image.patch
 create mode 100644 meta-arm/recipes-bsp/grub/files/grub-initial.cfg
 create mode 100644 meta-arm/recipes-bsp/grub/grub-efi-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-bsp/grub/grub-efi_%.bbappend

diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
index b26941e0..958a1ff1 100644
--- a/ci/qemuarm64-secureboot.yml
+++ b/ci/qemuarm64-secureboot.yml
@@ -4,13 +4,15 @@ header:
   version: 14
   includes:
     - ci/base.yml
-
-machine: qemuarm64-secureboot
-
-target:
-  - core-image-base
+    - ci/meta-openembedded.yml
+    - ci/meta-secure-core.yml
 
 local_conf_header:
   optee: |
     IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
     TEST_SUITES:append = " optee ftpm"
+
+machine: qemuarm64-secureboot
+
+target:
+  - core-image-base
diff --git a/meta-arm/recipes-bsp/grub/files/0001-verifiers-Don-t-return-error-for-deferred-image.patch b/meta-arm/recipes-bsp/grub/files/0001-verifiers-Don-t-return-error-for-deferred-image.patch
new file mode 100644
index 00000000..e55128df
--- /dev/null
+++ b/meta-arm/recipes-bsp/grub/files/0001-verifiers-Don-t-return-error-for-deferred-image.patch
@@ -0,0 +1,48 @@
+From 70fe34e1e61e0560af8a2018c5486b07b217f7fc Mon Sep 17 00:00:00 2001
+From: Leo Yan <leo.yan@linaro.org>
+Date: Thu, 22 Dec 2022 15:28:12 +0800
+Subject: [PATCH] verifiers: Don't return error for deferred image
+
+When boot from menu and the flag GRUB_VERIFY_FLAGS_DEFER_AUTH is set,
+grub returns error:
+
+ Booting a command list
+
+ error: verification requested but nobody cares: (hd0,gpt1)/Image.
+
+ Press any key to continue...
+
+In this case, the image should be deferred for authentication, grub
+should return the file handle and pass down to later firmware (e.g.
+U-Boot, etc) for authentication.
+
+For this purpose, rather than returning error, this patch prints log
+and returns file handler.
+
+Upstream-Status: Submitted
+
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+---
+ grub-core/kern/verifiers.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
+index 75d7994cf..ada753e69 100644
+--- a/grub-core/kern/verifiers.c
++++ b/grub-core/kern/verifiers.c
+@@ -115,11 +115,7 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
+   if (!ver)
+     {
+       if (defer)
+-	{
+-	  grub_error (GRUB_ERR_ACCESS_DENIED,
+-		      N_("verification requested but nobody cares: %s"), io->name);
+-	  goto fail_noclose;
+-	}
++	grub_printf("%s verification is deferred\n", io->name);
+ 
+       /* No verifiers wanted to verify. Just return underlying file. */
+       return io;
+-- 
+2.35.1
+
diff --git a/meta-arm/recipes-bsp/grub/files/grub-initial.cfg b/meta-arm/recipes-bsp/grub/files/grub-initial.cfg
new file mode 100644
index 00000000..1da15480
--- /dev/null
+++ b/meta-arm/recipes-bsp/grub/files/grub-initial.cfg
@@ -0,0 +1,8 @@
+# First partition on first disk, most likely EFI system partition. Set it here
+# as fallback in case the search doesn't find the given UUID.
+set root='hd0,gpt1'
+search --no-floppy --fs-uuid --set=root 7819-74F8
+
+configfile /EFI/BOOT/grub.cfg
+
+# If fail to load config file, it runs into GRUB shell.
diff --git a/meta-arm/recipes-bsp/grub/grub-efi-uefi-secureboot.inc b/meta-arm/recipes-bsp/grub/grub-efi-uefi-secureboot.inc
new file mode 100644
index 00000000..e218cb50
--- /dev/null
+++ b/meta-arm/recipes-bsp/grub/grub-efi-uefi-secureboot.inc
@@ -0,0 +1,40 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+SRC_URI += "file://grub-initial.cfg"
+SRC_URI += "file://0001-verifiers-Don-t-return-error-for-deferred-image.patch"
+
+DEPENDS += "sbsigntool-native"
+
+GRUB_PREFIX_DIR ?= "/EFI/BOOT"
+EFI_BOOT_PATH ?= "/boot/efi/EFI/BOOT"
+
+do_mkimage() {
+    install -d "${D}${EFI_BOOT_PATH}"
+    install -m 0600 "${UNPACKDIR}/grub-initial.cfg" "${D}${EFI_BOOT_PATH}/grub.cfg"
+
+    grub-mkimage --disable-shim-lock \
+        --prefix="${GRUB_PREFIX_DIR}" \
+        --format="${GRUB_TARGET}-efi" \
+        --directory="${B}/grub-core" \
+        --output="${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}" \
+        ${GRUB_BUILDIN}
+}
+
+fakeroot do_sign() {
+    "${STAGING_BINDIR_NATIVE}/sbsign" \
+        --key "${UEFI_SB_KEYS_DIR}/db.key" \
+        --cert "${UEFI_SB_KEYS_DIR}/db.crt" \
+        "${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}" \
+        --output "${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}.signed"
+
+   install -m 0644 "${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}.signed" "${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}"
+
+   install -d "${D}${EFI_BOOT_PATH}"
+   install -m 0644 "${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}.signed" "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}"
+}
+
+addtask sign after do_install before do_deploy do_package
+
+FILES:${PN} += "${EFI_BOOT_PATH}"
+
+CONFFILES:${PN} += "${EFI_BOOT_PATH}/grub.cfg"
diff --git a/meta-arm/recipes-bsp/grub/grub-efi_%.bbappend b/meta-arm/recipes-bsp/grub/grub-efi_%.bbappend
new file mode 100644
index 00000000..fd3baba0
--- /dev/null
+++ b/meta-arm/recipes-bsp/grub/grub-efi_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'grub-efi-uefi-secureboot.inc', '', d)}
\ No newline at end of file
-- 
2.45.2

[PATCH v1 6/7] qemuarm64-secureboot: Setup UEFI linux-yocto and sign kernel image

[Javier Tia]

efivarfs kernel module is required to access EFI vars.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../recipes-kernel/linux/linux-yocto%.bbappend |  2 ++
 .../linux/linux-yocto-uefi-secureboot.inc      | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc

diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
index a287d0e1..29c21355 100644
--- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
@@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \
 
 FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
 require ${FFA_TRANSPORT_INCLUDE}
+
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
\ No newline at end of file
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
new file mode 100644
index 00000000..3784b3d1
--- /dev/null
+++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
@@ -0,0 +1,18 @@
+KERNEL_FEATURES += "cfg/efi-ext.scc"
+
+DEPENDS += "sbsigntool-native"
+
+do_compile:append() {
+    KERNEL_IMAGE=$(find "${B}" -name "${KERNEL_IMAGETYPE}" -print -quit)
+
+    "${STAGING_BINDIR_NATIVE}/sbsign" \
+        --key "${UEFI_SB_KEYS_DIR}/db.key" \
+        --cert "${UEFI_SB_KEYS_DIR}/db.crt" \
+        "${KERNEL_IMAGE}" \
+        --output "${KERNEL_IMAGETYPE}.signed"
+
+	install -m 0644 "${KERNEL_IMAGETYPE}.signed" "${KERNEL_IMAGE}"
+}
+
+RRECOMMENDS:${PN} += "kernel-module-efivarfs"
+RRECOMMENDS:${PN} += "kernel-module-efivars"
\ No newline at end of file
-- 
2.45.2

[PATCH v1 7/7] qemuarm64-secureboot: Add UEFI systemd support

[Javier Tia]

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/recipes-core/systemd/systemd-uefi-secureboot.inc | 1 +
 meta-arm/recipes-core/systemd/systemd_%.bbappend          | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 meta-arm/recipes-core/systemd/systemd-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend

diff --git a/meta-arm/recipes-core/systemd/systemd-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-uefi-secureboot.inc
new file mode 100644
index 00000000..5572e51a
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd-uefi-secureboot.inc
@@ -0,0 +1 @@
+PACKAGECONFIG:append = " efi"
diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend
new file mode 100644
index 00000000..577c4f0c
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-uefi-secureboot.inc', '', d)}
-- 
2.45.2

Re: [PATCH v1 4/7] qemuarm64-secureboot: Setup UEFI and Secure Boot in u-boot

[Mikko Rapeli]

Hi,

On Thu, Jul 18, 2024 at 02:35:23PM -0600, Javier Tia wrote:
> Add u-boot minimal UEFI definitions. Setup UEFI variables with the keys
> previously generated.
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  .../u-boot/u-boot-qemuarm64-secureboot.inc     | 18 ++++++++++++++++++
>  .../qemuarm64-secureboot.cfg                   | 10 ++++++++++
>  .../recipes-bsp/u-boot/u-boot_%.bbappend       |  1 +
>  3 files changed, 29 insertions(+)
>  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
>  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg
> 
> diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
> new file mode 100644
> index 00000000..0a0accd1
> --- /dev/null
> +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
> @@ -0,0 +1,18 @@
> +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}/${MACHINE}:"
> +
> +SRC_URI += "file://${MACHINE}.cfg"
> +
> +UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm"
> +UBOOT_ENV_NAME = "qemu-arm.env"
> +
> +DEPENDS += 'python3-pyopenssl-native'
> +
> +do_compile:prepend() {
> +    export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
> +
> +    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk  -d "${UEFI_SB_KEYS_DIR}"/PK.esl  -t file
> +    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file
> +    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db  -d "${UEFI_SB_KEYS_DIR}"/db.esl  -t file
> +    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file
> +    "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
> +}
> diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg
> new file mode 100644
> index 00000000..d2edb5fb
> --- /dev/null
> +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg
> @@ -0,0 +1,10 @@
> +CONFIG_CMD_BOOTMENU=y
> +CONFIG_USE_BOOTCOMMAND=y
> +CONFIG_BOOTCOMMAND="bootmenu"
> +CONFIG_USE_PREBOOT=y
> +CONFIG_EFI_VAR_BUF_SIZE=65536
> +CONFIG_FIT_SIGNATURE=y
> +CONFIG_EFI_SECURE_BOOT=y
> +CONFIG_EFI_VARIABLES_PRESEED=y
> +CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
> +CONFIG_PREBOOT_DEFINED=y
> \ No newline at end of file
> diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
> index 11f332ad..8df993ae 100644
> --- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
> +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
> @@ -5,6 +5,7 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc"
>  MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc"
>  MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc"
>  MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc"
> +MACHINE_U-BOOT_REQUIRE:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}"

I think this should be generic to all machines if uefi-secureboot is in
MACHINE_FEATURES.

I know meta-arm will only test qemuarm64-secureboot but users will have different
machine names and would expect this to work there too.

Cheers,

-Mikko

>  require ${MACHINE_U-BOOT_REQUIRE}
>  
> -- 
> 2.45.2
> 

Re: [PATCH v1 6/7] qemuarm64-secureboot: Setup UEFI linux-yocto and sign kernel image

[Mikko Rapeli]

Hi,

Subject should be "linux-yocto: sign kernel image..."

Cheers,

-Mikko

Re: [PATCH v1 0/7] qemuarm64-secureboot: Enable UEFI Secure Boot

[Mikko Rapeli]

Hi,

Could you prefix each patch subject with recipe it actually changes?

That's the pattern in poky and meta-arm. Then if possible, keep
changes separate to each recipe and main config file (machine,
kas etc).

Thanks,

-Mikko

Re: [PATCH v1 7/7] qemuarm64-secureboot: Add UEFI systemd support

[Mikko Rapeli]

Hi,

Subject should have "systemd:" prefix.

On Thu, Jul 18, 2024 at 02:35:26PM -0600, Javier Tia wrote:
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  meta-arm/recipes-core/systemd/systemd-uefi-secureboot.inc | 1 +
>  meta-arm/recipes-core/systemd/systemd_%.bbappend          | 1 +
>  2 files changed, 2 insertions(+)
>  create mode 100644 meta-arm/recipes-core/systemd/systemd-uefi-secureboot.inc
>  create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
> 
> diff --git a/meta-arm/recipes-core/systemd/systemd-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-uefi-secureboot.inc
> new file mode 100644
> index 00000000..5572e51a
> --- /dev/null
> +++ b/meta-arm/recipes-core/systemd/systemd-uefi-secureboot.inc
> @@ -0,0 +1 @@
> +PACKAGECONFIG:append = " efi"
> diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend
> new file mode 100644
> index 00000000..577c4f0c
> --- /dev/null
> +++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend
> @@ -0,0 +1 @@
> +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-uefi-secureboot.inc', '', d)}

I think this should be machine feature "efi", and this should possibly go to poky
upstream systemd recipe.

Then, it's possible to switch from grub to systemd-boot with uki binaries
but that requires some more work. There both kernel and initrd will be signed
into an efi binary. Only problem for me there is the split between different
layers: poky, meta-arm, meta-security and meta-secure-core. Not clear which
bits would belong where, and which layer would contain the test build config
and oeqa tests.

Cheers,

-Mikko

Re: [PATCH v1 0/7] qemuarm64-secureboot: Enable UEFI Secure Boot

[Mikko Rapeli]

Hi,

Is there some way to test this in oeqa runtime with ssh that
the boot was really done with secure binaries?

I think this is quite brittle and test should verify that
boot was secure.

Cheers,

-Mikko

Re: [PATCH v1 2/7] qemuarm64-secureboot: Introduce UEFI_SB_KEYS_DIR

[Jon Mason]

On Thu, Jul 18, 2024 at 02:35:21PM -0600, Javier Tia wrote:
> UEFI_SB_KEYS_DIR saves UEFI keys path.
> 
> To avoid security issues, UEFI keys are not provided and they can be
> generated by gen_uefi_keys.sh script.
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>

Running CI on this series and seeing failures on all qemuarm64-secureboot machines with:

--- Error summary ---
ERROR: Nothing PROVIDES 'core-image-base'
core-image-base was skipped: Required missing keys: /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/PK.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/KEK.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/dbx.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/db.esl, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/db.key, /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/db.crt.
Run /builds/jonmason00/meta-arm/work/build/../../meta-arm/uefi-sb-keys/gen_uefi_keys.sh to generate missing keys.

See https://gitlab.com/jonmason00/meta-arm/-/jobs/7473619852


> ---
>  meta-arm/conf/layer.conf               |  2 ++
>  meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++
>  2 files changed, 37 insertions(+)
>  create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> 
> diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf
> index 9e9c9dbd..2854dd69 100644
> --- a/meta-arm/conf/layer.conf
> +++ b/meta-arm/conf/layer.conf
> @@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet"
>  addpylib ${LAYERDIR}/lib oeqa
>  
>  WARN_QA:append:layer-meta-arm = " patch-status"
> +
> +UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"
> \ No newline at end of file
> diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> new file mode 100755
> index 00000000..fc7f25c9
> --- /dev/null
> +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> @@ -0,0 +1,35 @@
> +#/bin/sh
> +
> +set -eux
> +
> +#Create PK
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
> +
> +#Create KEK
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
> +
> +#Create DB
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
> +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
> +
> +#Create DBX
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
> +sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
> +
> +#Sign image
> +#sbsign --key db.key --cert db.crt Image
> +
> +#Digest image
> +#hash-to-efi-sig-list Image db_Image.hash
> +#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
> +
> +#Empty cert for testing
> +touch noPK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
> +
> -- 
> 2.45.2
> 
>