From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: Jon Mason <jdmason@kudzu.us>
Cc: Javier Tia <javier.tia@linaro.org>,
meta-arm@lists.yoctoproject.org,
Ross Burton <Ross.Burton@arm.com>, Jon Mason <jon.mason@arm.com>
Subject: Re: [PATCH v4 00/13] qemuarm64-secureboot: Add UEFI Secure Boot
Date: Fri, 30 Aug 2024 09:10:46 +0300 [thread overview]
Message-ID: <ZtFiZjM7pRqSNm2l@nuoska> (raw)
In-Reply-To: <ZtE3MqOM2D40ei5r@kudzu.us>
Hi,
On Thu, Aug 29, 2024 at 11:06:26PM -0400, Jon Mason wrote:
> Looks like this series is not building for me. I'm seeing the
> following error:
>
> ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found | ETA: 0:00:12
> The following paths were searched:
> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> ERROR: Parsing halted due to errors, see error messages above | ETA: 0:00:14
> ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found
> The following paths were searched:
> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found
> The following paths were searched:
> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
>
> I've not looked into it, but it's being seen on mulitple setups and is
> trivial to replicate with:
> kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml
I think this is the secure boot key generation. You should run
meta-arm/uefi-sb-keys/gen_uefi_keys.sh in meta-arm/uefi-sb-keys before
building, or have some other way of distributing the keys to build machines.
This could be part of a recipe but that would be fully non-reproducible.
Maybe there is some kas way of running this script before bitbake build
if the key files are not there?
Cheers,
-Mikko
> Thanks,
> Jon
>
>
> On Thu, Aug 29, 2024 at 10:31:56AM -0600, Javier Tia wrote:
> > Hi,
> >
> > Addressing comments from patch series v3.
> >
> > A backport from meta-ts with the minimal changes to add UEFI Secure Boot
> > into qemuarm64-secureboot machine.
> >
> > Requirements:
> >
> > - Create a UEFI disk partition to copy EFI apps.
> >
> > - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel.
> >
> > - UEFI keys are to be stored in U-Boot and used to sign systemd-boot
> > and Linux kernel images.
> >
> > - Add systemd as Init manager to auto-mount efivarfs.
> >
> > Introduces uefi-secureboot machine feature.
> >
> > UEFI keys must be genereated in order to be added to U-Boot. Sign both
> > systemd-boot EFI app and Linux kernel image.
> >
> > Build and verification steps:
> >
> > $ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'
> >
> > ---
> >
> > Changes since v3:
> > - For image creation use core-image-minimal, instead of core-image-base.
> >
> > Changes since v2:
> > - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap".
> >
> > Changes since v1:
> > - Rework all subject commits to follow OE, Yocto, and meta-arm guidelines.
> > - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys.
> > - Add an OE test to validate UEFI Secure Boot.
> > - Simplify gen_uefi_keys.sh to avoid code repetition.
> > - Replace grub with systemd-boot.
> > - Simplify signing binary images with sbsign class.
> > - Set OE branch to Scarthgap.
> >
> > Changes since the v0:
> > - Remove u-boot recipe.
> > - Split the change in several commits.
> > - Remove sample UEFI keys.
> > - Validate UEFI keys exist before building.
> > - Insolate most of changes under uefi-secureboot machine feature.
> >
> > Javier Tia (13):
> > qemuarm64-secureboot: Introduce uefi-secureboot machine feature
> > core-image-minimal: Use UEFI layout disk partitions
> > layer.conf: Introduce UEFI_SB_KEYS_DIR
> > uefi-sb-keys.bbclass: Add class to validate UEFI keys
> > sbsign.bbclass: Add class to sign binaries
> > core-image-minimal: Inherit uefi-sb-keys
> > meta-arm: Introduce gen-uefi-sb-keys.bb recipe
> > u-boot: Setup UEFI and Secure Boot
> > qemuarm64-secureboot: Add meta-secure-core layer as dependency
> > linux-yocto: Setup UEFI and sign kernel image
> > systemd: Add UEFI support
> > systemd-boot: Use it as bootloader & sign UEFI image
> > meta-arm: Add UEFI Secure Boot test
> >
> > ci/qemuarm64-secureboot.yml | 14 ++++---
> > .../u-boot/u-boot-qemuarm64-secureboot.inc | 18 +++++++++
> > .../u-boot/u-boot/uefi-secureboot.cfg | 10 +++++
> > .../recipes-bsp/u-boot/u-boot_%.bbappend | 2 +-
> > meta-arm-bsp/wic/efi-disk-no-swap.wks.in | 2 +-
> > meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++
> > meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++
> > meta-arm/conf/layer.conf | 2 +
> > .../conf/machine/qemuarm64-secureboot.conf | 8 ++++
> > .../oeqa/runtime/cases/uefi_secure_boot.py | 32 +++++++++++++++
> > meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++
> > .../core-image-minimal-uefi-secureboot.inc | 17 ++++++++
> > .../images/core-image-minimal.bbappend | 1 +
> > .../systemd/systemd-boot-uefi-secureboot.inc | 12 ++++++
> > .../systemd/systemd-boot_%.bbappend | 1 +
> > meta-arm/recipes-core/systemd/systemd-efi.inc | 1 +
> > .../recipes-core/systemd/systemd_%.bbappend | 1 +
> > .../linux/linux-yocto%.bbappend | 2 +
> > .../linux/linux-yocto-uefi-secureboot.inc | 19 +++++++++
> > meta-arm/uefi-sb-keys/.gitignore | 4 ++
> > meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 33 ++++++++++++++++
> > 21 files changed, 261 insertions(+), 7 deletions(-)
> > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
> > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
> > create mode 100644 meta-arm/classes/sbsign.bbclass
> > create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
> > create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
> > create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
> > create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> > create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend
> > create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
> > create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
> > create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
> > create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
> > create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
> > create mode 100644 meta-arm/uefi-sb-keys/.gitignore
> > create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> >
> > --
> > 2.46.0
> >
> >
next prev parent reply other threads:[~2024-08-30 6:10 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-29 16:31 [PATCH v4 00/13] qemuarm64-secureboot: Add UEFI Secure Boot Javier Tia
2024-08-29 16:31 ` [PATCH v4 01/13] qemuarm64-secureboot: Introduce uefi-secureboot machine feature Javier Tia
2024-08-30 15:42 ` Jon Mason
2024-08-29 16:31 ` [PATCH v4 02/13] core-image-minimal: Use UEFI layout disk partitions Javier Tia
2024-08-30 15:32 ` Jon Mason
2024-08-29 16:31 ` [PATCH v4 03/13] layer.conf: Introduce UEFI_SB_KEYS_DIR Javier Tia
2024-08-30 14:00 ` Jon Mason
2024-08-29 16:32 ` [PATCH v4 04/13] uefi-sb-keys.bbclass: Add class to validate UEFI keys Javier Tia
2024-08-30 14:03 ` Jon Mason
2024-08-29 16:32 ` [PATCH v4 05/13] sbsign.bbclass: Add class to sign binaries Javier Tia
2024-08-30 14:12 ` Jon Mason
2024-09-02 6:35 ` Mikko Rapeli
2024-08-29 16:32 ` [PATCH v4 06/13] core-image-minimal: Inherit uefi-sb-keys Javier Tia
2024-08-30 14:14 ` Jon Mason
2024-08-29 16:32 ` [PATCH v4 07/13] meta-arm: Introduce gen-uefi-sb-keys.bb recipe Javier Tia
2024-08-30 14:17 ` Jon Mason
2024-08-29 16:32 ` [PATCH v4 08/13] u-boot: Setup UEFI and Secure Boot Javier Tia
2024-08-30 14:23 ` Jon Mason
2024-08-29 16:32 ` [PATCH v4 09/13] qemuarm64-secureboot: Add meta-secure-core layer as dependency Javier Tia
2024-08-30 15:03 ` Jon Mason
2024-08-29 16:32 ` [PATCH v4 10/13] linux-yocto: Setup UEFI and sign kernel image Javier Tia
2024-08-30 15:16 ` Jon Mason
2024-08-29 16:32 ` [PATCH v4 11/13] systemd: Add UEFI support Javier Tia
2024-08-30 15:24 ` Jon Mason
2024-09-02 6:43 ` Mikko Rapeli
2024-08-29 16:32 ` [PATCH v4 12/13] systemd-boot: Use it as bootloader & sign UEFI image Javier Tia
2024-08-29 16:32 ` [PATCH v4 13/13] meta-arm: Add UEFI Secure Boot test Javier Tia
2024-08-30 15:28 ` Jon Mason
2024-08-30 3:06 ` [PATCH v4 00/13] qemuarm64-secureboot: Add UEFI Secure Boot Jon Mason
2024-08-30 6:10 ` Mikko Rapeli [this message]
2024-08-30 13:24 ` Jon Mason
2024-09-02 17:53 ` Javier Tia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZtFiZjM7pRqSNm2l@nuoska \
--to=mikko.rapeli@linaro.org \
--cc=Ross.Burton@arm.com \
--cc=javier.tia@linaro.org \
--cc=jdmason@kudzu.us \
--cc=jon.mason@arm.com \
--cc=meta-arm@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.