[PATCH v4 00/13] qemuarm64-secureboot: Add UEFI Secure Boot

[PATCH v4 00/13] qemuarm64-secureboot: Add UEFI Secure Boot

[Javier Tia]

Hi,

Addressing comments from patch series v3.

A backport from meta-ts with the minimal changes to add UEFI Secure Boot
into qemuarm64-secureboot machine.

Requirements:

  - Create a UEFI disk partition to copy EFI apps.

  - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel.

  - UEFI keys are to be stored in U-Boot and used to sign systemd-boot
    and Linux kernel images.

  - Add systemd as Init manager to auto-mount efivarfs.

Introduces uefi-secureboot machine feature.

UEFI keys must be genereated in order to be added to U-Boot. Sign both
systemd-boot EFI app and Linux kernel image.

Build and verification steps:

$ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'

---

Changes since v3:
- For image creation use core-image-minimal, instead of core-image-base.

Changes since v2:
- Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap".

Changes since v1:
- Rework all subject commits to follow OE, Yocto, and meta-arm guidelines.
- Add gen-uefi-sb-keys.bb recipe to generate UEFI keys.
- Add an OE test to validate UEFI Secure Boot.
- Simplify gen_uefi_keys.sh to avoid code repetition.
- Replace grub with systemd-boot.
- Simplify signing binary images with sbsign class.
- Set OE branch to Scarthgap.

Changes since the v0:
- Remove u-boot recipe.
- Split the change in several commits.
- Remove sample UEFI keys.
- Validate UEFI keys exist before building.
- Insolate most of changes under uefi-secureboot machine feature.

Javier Tia (13):
  qemuarm64-secureboot: Introduce uefi-secureboot machine feature
  core-image-minimal: Use UEFI layout disk partitions
  layer.conf: Introduce UEFI_SB_KEYS_DIR
  uefi-sb-keys.bbclass: Add class to validate UEFI keys
  sbsign.bbclass: Add class to sign binaries
  core-image-minimal: Inherit uefi-sb-keys
  meta-arm: Introduce gen-uefi-sb-keys.bb recipe
  u-boot: Setup UEFI and Secure Boot
  qemuarm64-secureboot: Add meta-secure-core layer as dependency
  linux-yocto: Setup UEFI and sign kernel image
  systemd: Add UEFI support
  systemd-boot: Use it as bootloader & sign UEFI image
  meta-arm: Add UEFI Secure Boot test

 ci/qemuarm64-secureboot.yml                   | 14 ++++---
 .../u-boot/u-boot-qemuarm64-secureboot.inc    | 18 +++++++++
 .../u-boot/u-boot/uefi-secureboot.cfg         | 10 +++++
 .../recipes-bsp/u-boot/u-boot_%.bbappend      |  2 +-
 meta-arm-bsp/wic/efi-disk-no-swap.wks.in      |  2 +-
 meta-arm/classes/sbsign.bbclass               | 39 +++++++++++++++++++
 meta-arm/classes/uefi-sb-keys.bbclass         | 24 ++++++++++++
 meta-arm/conf/layer.conf                      |  2 +
 .../conf/machine/qemuarm64-secureboot.conf    |  8 ++++
 .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++
 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++
 .../core-image-minimal-uefi-secureboot.inc    | 17 ++++++++
 .../images/core-image-minimal.bbappend        |  1 +
 .../systemd/systemd-boot-uefi-secureboot.inc  | 12 ++++++
 .../systemd/systemd-boot_%.bbappend           |  1 +
 meta-arm/recipes-core/systemd/systemd-efi.inc |  1 +
 .../recipes-core/systemd/systemd_%.bbappend   |  1 +
 .../linux/linux-yocto%.bbappend               |  2 +
 .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++
 meta-arm/uefi-sb-keys/.gitignore              |  4 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 33 ++++++++++++++++
 21 files changed, 261 insertions(+), 7 deletions(-)
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
 create mode 100644 meta-arm/classes/sbsign.bbclass
 create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
 create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
 create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
 create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
 create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
 create mode 100644 meta-arm/uefi-sb-keys/.gitignore
 create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh

-- 
2.46.0

[PATCH v4 01/13] qemuarm64-secureboot: Introduce uefi-secureboot machine feature

[Javier Tia]

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/conf/machine/qemuarm64-secureboot.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
index 78a39c03..2483c4ac 100644
--- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -22,3 +22,4 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
 
 MACHINE_FEATURES += "optee-ftpm"
+MACHINE_FEATURES += "uefi-secureboot"
-- 
2.46.0

[PATCH v4 02/13] core-image-minimal: Use UEFI layout disk partitions

[Javier Tia]

- Use efi-disk-no-swap.wks.in disk definition to add expected UEFI disk
  partitions configuration.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 ci/qemuarm64-secureboot.yml                                 | 6 +++---
 .../images/core-image-minimal-uefi-secureboot.inc           | 1 +
 meta-arm/recipes-core/images/core-image-minimal.bbappend    | 1 +
 3 files changed, 5 insertions(+), 3 deletions(-)
 create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend

diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
index b26941e0..fdde1e79 100644
--- a/ci/qemuarm64-secureboot.yml
+++ b/ci/qemuarm64-secureboot.yml
@@ -7,10 +7,10 @@ header:
 
 machine: qemuarm64-secureboot
 
-target:
-  - core-image-base
-
 local_conf_header:
   optee: |
     IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
     TEST_SUITES:append = " optee ftpm"
+
+target:
+  - core-image-minimal
diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
new file mode 100644
index 00000000..351e9030
--- /dev/null
+++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
@@ -0,0 +1 @@
+WKS_FILE = "efi-disk-no-swap.wks.in"
diff --git a/meta-arm/recipes-core/images/core-image-minimal.bbappend b/meta-arm/recipes-core/images/core-image-minimal.bbappend
new file mode 100644
index 00000000..46c00f00
--- /dev/null
+++ b/meta-arm/recipes-core/images/core-image-minimal.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'core-image-minimal-uefi-secureboot.inc', '', d)}
\ No newline at end of file
-- 
2.46.0

[PATCH v4 03/13] layer.conf: Introduce UEFI_SB_KEYS_DIR

[Javier Tia]

UEFI_SB_KEYS_DIR saves UEFI keys path.

To avoid security issues, UEFI keys are not provided and they can be
generated by gen_uefi_keys.sh script.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/conf/layer.conf               |  2 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh

diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf
index 9e9c9dbd..2854dd69 100644
--- a/meta-arm/conf/layer.conf
+++ b/meta-arm/conf/layer.conf
@@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet"
 addpylib ${LAYERDIR}/lib oeqa
 
 WARN_QA:append:layer-meta-arm = " patch-status"
+
+UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"
\ No newline at end of file
diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
new file mode 100755
index 00000000..fc7f25c9
--- /dev/null
+++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
@@ -0,0 +1,35 @@
+#/bin/sh
+
+set -eux
+
+#Create PK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+
+#Create KEK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
+sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+
+#Create DB
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
+
+#Create DBX
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
+
+#Sign image
+#sbsign --key db.key --cert db.crt Image
+
+#Digest image
+#hash-to-efi-sig-list Image db_Image.hash
+#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
+
+#Empty cert for testing
+touch noPK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
+
-- 
2.46.0

[PATCH v4 04/13] uefi-sb-keys.bbclass: Add class to validate UEFI keys

[Javier Tia]

Without UEFI keys, signing will fail and the OS will not boot.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass

diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass
new file mode 100644
index 00000000..e800b4c6
--- /dev/null
+++ b/meta-arm/classes/uefi-sb-keys.bbclass
@@ -0,0 +1,24 @@
+# Validate UEFI keys
+python __anonymous () {
+    if d.getVar("UEFI_SB_KEYS_DIR", False) is None:
+        raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.")
+
+    # keys used for UEFI secure boot
+    uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR")
+
+    keys_to_check = [
+        uefi_sb_keys + "/PK.esl",
+        uefi_sb_keys + "/KEK.esl",
+        uefi_sb_keys + "/dbx.esl",
+        uefi_sb_keys + "/db.esl",
+        uefi_sb_keys + "/db.key",
+        uefi_sb_keys + "/db.crt",
+    ]
+
+    missing_keys = [f for f in keys_to_check if not os.path.exists(f)]
+
+    if missing_keys:
+        raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), )
+            + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys)
+
+}
-- 
2.46.0

[PATCH v4 05/13] sbsign.bbclass: Add class to sign binaries

[Javier Tia]

A lot of recipes are using these same steps to sign binaries
for UEFI secure boot.

Authored-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 meta-arm/classes/sbsign.bbclass

diff --git a/meta-arm/classes/sbsign.bbclass b/meta-arm/classes/sbsign.bbclass
new file mode 100644
index 00000000..a99c0218
--- /dev/null
+++ b/meta-arm/classes/sbsign.bbclass
@@ -0,0 +1,39 @@
+# Sign binaries for UEFI secure boot
+# Usage in recipes:
+#
+# Set key and cert files in recipe or machine/distro config:
+# SBSIGN_KEY = "db.key"
+# SBSIGN_CERT = "db.crt"
+#
+# Set binary to sign per recipe:
+# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign"
+#
+# Then call do_sbsign() in correct stage of the build
+# do_compile:append() {
+#     do_sbsign
+# }
+
+DEPENDS += "sbsigntool-native"
+
+SBSIGN_KEY ?= "db.key"
+SBSIGN_CERT ?= "db.crt"
+SBSIGN_TARGET_BINARY ?= "binary_to_sign"
+
+# makes sure changed keys trigger rebuild/re-signing
+SRC_URI += "\
+    file://${SBSIGN_KEY} \
+    file://${SBSIGN_CERT} \
+"
+
+# not adding as task since recipes may need to sign binaries at different
+# stages. Instead they can call this function when needed by calling this function
+do_sbsign() {
+    bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}"
+    ${STAGING_BINDIR_NATIVE}/sbsign \
+        --key "${UNPACKDIR}/${SBSIGN_KEY}" \
+        --cert "${UNPACKDIR}/${SBSIGN_CERT}" \
+        --output  "${SBSIGN_TARGET_BINARY}.signed" \
+        "${SBSIGN_TARGET_BINARY}"
+    cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned"
+    cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}"
+}
\ No newline at end of file
-- 
2.46.0

[PATCH v4 06/13] core-image-minimal: Inherit uefi-sb-keys

[Javier Tia]

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../recipes-core/images/core-image-minimal-uefi-secureboot.inc  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
index 351e9030..2232d3b3 100644
--- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
+++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
@@ -1 +1,3 @@
+inherit uefi-sb-keys
+
 WKS_FILE = "efi-disk-no-swap.wks.in"
-- 
2.46.0

[PATCH v4 07/13] meta-arm: Introduce gen-uefi-sb-keys.bb recipe

[Javier Tia]

Generate a new set of keys on build time. It avoids to use same keys
which could generate a security issue.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++
 meta-arm/uefi-sb-keys/.gitignore              |  4 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 56 +++++++++----------
 3 files changed, 57 insertions(+), 29 deletions(-)
 create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
 create mode 100644 meta-arm/uefi-sb-keys/.gitignore

diff --git a/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
new file mode 100644
index 00000000..a4ae6d87
--- /dev/null
+++ b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
@@ -0,0 +1,26 @@
+# SPDX-License-Identifier: MIT
+
+SUMMARY = "Generate UEFI keys for secure boot"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+DEPENDS += "bash-native"
+DEPENDS += "coreutils-native"
+DEPENDS += "efitools-native"
+DEPENDS += "openssl-native"
+
+SRC_URI = "file://${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh"
+
+UNPACKDIR = "${S}"
+
+do_fetch[noexec] = "1"
+do_patch[noexec] = "1"
+do_compile[noexec] = "1"
+do_configure[noexec] = "1"
+
+do_install() {
+    ${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh ${UEFI_SB_KEYS_DIR}
+}
+
+FILES:${PN} = "${UEFI_SB_KEYS_DIR}/*.key"
+FILES:${PN} += "${UEFI_SB_KEYS_DIR}/*.crt"
diff --git a/meta-arm/uefi-sb-keys/.gitignore b/meta-arm/uefi-sb-keys/.gitignore
new file mode 100644
index 00000000..f8669919
--- /dev/null
+++ b/meta-arm/uefi-sb-keys/.gitignore
@@ -0,0 +1,4 @@
+*.auth
+*.crt
+*.esl
+*.key
\ No newline at end of file
diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
index fc7f25c9..21e65c72 100755
--- a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
+++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
@@ -1,35 +1,33 @@
-#/bin/sh
+#!/bin/bash
+#
+# SPDX-License-Identifier: MIT
+#
 
 set -eux
 
-#Create PK
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
-sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+KEYS_PATH=${1:-./}
+SUBJECT="/CN=Linaro_LEDGE/"
+GUID="11111111-2222-3333-4444-123456789abc"
 
-#Create KEK
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
-sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \
+    -keyout "${KEYS_PATH}"/PK.key -out "${KEYS_PATH}"/PK.crt \
+    -nodes -days 3650
+cert-to-efi-sig-list -g ${GUID} \
+    "${KEYS_PATH}"/PK.crt "${KEYS_PATH}"/PK.esl
+sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \
+    "${KEYS_PATH}"/PK "${KEYS_PATH}"/PK.esl "${KEYS_PATH}"/PK.auth
 
-#Create DB
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
-sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
-
-#Create DBX
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
-sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
-
-#Sign image
-#sbsign --key db.key --cert db.crt Image
-
-#Digest image
-#hash-to-efi-sig-list Image db_Image.hash
-#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
-
-#Empty cert for testing
-touch noPK.esl
-sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
+for key in KEK db dbx; do
+    openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \
+        -keyout "${KEYS_PATH}"/${key}.key -out "${KEYS_PATH}"/${key}.crt \
+        -nodes -days 3650
+    cert-to-efi-sig-list -g ${GUID} \
+        "${KEYS_PATH}"/${key}.crt "${KEYS_PATH}"/${key}.esl
+    sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \
+        "${KEYS_PATH}"/${key} "${KEYS_PATH}"/${key}.esl "${KEYS_PATH}"/${key}.auth
+done
 
+# Empty cert for testing
+touch "${KEYS_PATH}"/noPK.esl
+sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \
+    "${KEYS_PATH}"/PK "${KEYS_PATH}"/noPK.esl "${KEYS_PATH}"/noPK.auth
-- 
2.46.0

[PATCH v4 08/13] u-boot: Setup UEFI and Secure Boot

[Javier Tia]

Add U-Boot minimal UEFI definitions.

Embedded UEFI variables with the keys previously generated. It's to
enable UEFI Secure Boot and verify the authenticity of the firmware and
operating system.

When U-Boot is built with UEFI support, it includes a set of efivars
that are used to store the Secure Boot variables. These efivars are
embedded in the U-Boot binary and are stored in the flash memory of the
system.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../u-boot/u-boot-qemuarm64-secureboot.inc     | 18 ++++++++++++++++++
 .../u-boot/u-boot/uefi-secureboot.cfg          | 10 ++++++++++
 .../recipes-bsp/u-boot/u-boot_%.bbappend       |  2 +-
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg

diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
new file mode 100644
index 00000000..ffad08e4
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
@@ -0,0 +1,18 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://uefi-secureboot.cfg"
+
+UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm"
+UBOOT_ENV_NAME = "qemu-arm.env"
+
+DEPENDS += 'python3-pyopenssl-native'
+
+do_compile:prepend() {
+    export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
+
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk  -d "${UEFI_SB_KEYS_DIR}"/PK.esl  -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db  -d "${UEFI_SB_KEYS_DIR}"/db.esl  -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file
+    "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
+}
diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
new file mode 100644
index 00000000..d2edb5fb
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
@@ -0,0 +1,10 @@
+CONFIG_CMD_BOOTMENU=y
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="bootmenu"
+CONFIG_USE_PREBOOT=y
+CONFIG_EFI_VAR_BUF_SIZE=65536
+CONFIG_FIT_SIGNATURE=y
+CONFIG_EFI_SECURE_BOOT=y
+CONFIG_EFI_VARIABLES_PRESEED=y
+CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
+CONFIG_PREBOOT_DEFINED=y
\ No newline at end of file
diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
index 11f332ad..ee815b6a 100644
--- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -5,6 +5,6 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc"
 MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc"
 MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc"
 MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc"
+MACHINE_U-BOOT_REQUIRE += "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}"
 
 require ${MACHINE_U-BOOT_REQUIRE}
-
-- 
2.46.0

[PATCH v4 09/13] qemuarm64-secureboot: Add meta-secure-core layer as dependency

[Javier Tia]

meta-secure-core is required because of sbsigntool.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 ci/qemuarm64-secureboot.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
index fdde1e79..03281a08 100644
--- a/ci/qemuarm64-secureboot.yml
+++ b/ci/qemuarm64-secureboot.yml
@@ -4,13 +4,15 @@ header:
   version: 14
   includes:
     - ci/base.yml
-
-machine: qemuarm64-secureboot
+    - ci/meta-openembedded.yml
+    - ci/meta-secure-core.yml
 
 local_conf_header:
   optee: |
     IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
     TEST_SUITES:append = " optee ftpm"
 
+machine: qemuarm64-secureboot
+
 target:
   - core-image-minimal
-- 
2.46.0

[PATCH v4 10/13] linux-yocto: Setup UEFI and sign kernel image

[Javier Tia]

efivarfs kernel module is required to access EFI vars.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../core-image-minimal-uefi-secureboot.inc    |  8 ++++++++
 .../linux/linux-yocto%.bbappend               |  2 ++
 .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc

diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
index 2232d3b3..06046f6e 100644
--- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
+++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
@@ -1,3 +1,11 @@
 inherit uefi-sb-keys
 
 WKS_FILE = "efi-disk-no-swap.wks.in"
+
+# Detected by passing kernel parameter
+QB_KERNEL_ROOT = ""
+
+# kernel is in the image, should not be loaded separately
+QB_DEFAULT_KERNEL = "none"
+
+KERNEL_IMAGETYPE = "Image"
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
index a287d0e1..29c21355 100644
--- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
@@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \
 
 FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
 require ${FFA_TRANSPORT_INCLUDE}
+
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
\ No newline at end of file
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
new file mode 100644
index 00000000..cb62fdee
--- /dev/null
+++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
@@ -0,0 +1,19 @@
+KERNEL_FEATURES += "cfg/efi-ext.scc"
+
+DEPENDS += 'gen-uefi-sb-keys'
+
+inherit sbsign
+
+SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key"
+SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt"
+
+# shell variable set inside do_compile task
+SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE"
+
+do_compile:append() {
+    KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit)
+    do_sbsign
+}
+
+RRECOMMENDS:${PN} += "kernel-module-efivarfs"
+RRECOMMENDS:${PN} += "kernel-module-efivars"
-- 
2.46.0

[PATCH v4 11/13] systemd: Add UEFI support

[Javier Tia]

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/conf/machine/qemuarm64-secureboot.conf              | 5 +++++
 .../images/core-image-minimal-uefi-secureboot.inc            | 2 ++
 meta-arm/recipes-core/systemd/systemd-efi.inc                | 1 +
 meta-arm/recipes-core/systemd/systemd_%.bbappend             | 1 +
 4 files changed, 9 insertions(+)
 create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend

diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
index 2483c4ac..542d09a3 100644
--- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -22,4 +22,9 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
 IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
 
 MACHINE_FEATURES += "optee-ftpm"
+MACHINE_FEATURES += "efi"
 MACHINE_FEATURES += "uefi-secureboot"
+
+INIT_MANAGER = "systemd"
+DISTRO_FEATURES += "systemd"
+DISTRO_FEATURES_NATIVE += "systemd"
diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
index 06046f6e..07e315a3 100644
--- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
+++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
@@ -9,3 +9,5 @@ QB_KERNEL_ROOT = ""
 QB_DEFAULT_KERNEL = "none"
 
 KERNEL_IMAGETYPE = "Image"
+
+IMAGE_INSTALL += "systemd"
diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc
new file mode 100644
index 00000000..5572e51a
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd-efi.inc
@@ -0,0 +1 @@
+PACKAGECONFIG:append = " efi"
diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend
new file mode 100644
index 00000000..660358c2
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)}
-- 
2.46.0

[PATCH v4 12/13] systemd-boot: Use it as bootloader & sign UEFI image

[Javier Tia]

As qemuarm64-secureboot is already using systemd as Init manager, use
too systemd-boot as bootloader. It has a simpler and more intuitive
configuration format compared to grub. It uses a single configuration
file that is easy to understand and modify.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm-bsp/wic/efi-disk-no-swap.wks.in             |  2 +-
 meta-arm/conf/machine/qemuarm64-secureboot.conf      |  2 ++
 .../images/core-image-minimal-uefi-secureboot.inc    |  2 +-
 .../systemd/systemd-boot-uefi-secureboot.inc         | 12 ++++++++++++
 .../recipes-core/systemd/systemd-boot_%.bbappend     |  1 +
 5 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend

diff --git a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in
index 6ae7ad9d..6d77d3aa 100644
--- a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in
+++ b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in
@@ -7,4 +7,4 @@ part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label
 
 part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --exclude-path boot/
 
-bootloader --ptable gpt --timeout=1 --append="${GRUB_LINUX_APPEND}"
+bootloader --ptable gpt --timeout=5 --append="${LINUX_KERNEL_ARGS}"
diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
index 542d09a3..9c8496cb 100644
--- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
+++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -25,6 +25,8 @@ MACHINE_FEATURES += "optee-ftpm"
 MACHINE_FEATURES += "efi"
 MACHINE_FEATURES += "uefi-secureboot"
 
+EFI_PROVIDER = "systemd-boot"
+
 INIT_MANAGER = "systemd"
 DISTRO_FEATURES += "systemd"
 DISTRO_FEATURES_NATIVE += "systemd"
diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
index 07e315a3..e5cf7760 100644
--- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
+++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
@@ -10,4 +10,4 @@ QB_DEFAULT_KERNEL = "none"
 
 KERNEL_IMAGETYPE = "Image"
 
-IMAGE_INSTALL += "systemd"
+IMAGE_INSTALL += "systemd systemd-boot"
diff --git a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
new file mode 100644
index 00000000..c0753614
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
@@ -0,0 +1,12 @@
+DEPENDS += 'gen-uefi-sb-keys'
+DEPENDS += "sbsigntool-native"
+
+inherit sbsign
+
+SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key"
+SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt"
+SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi"
+
+do_compile:append() {
+    do_sbsign
+}
diff --git a/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
new file mode 100644
index 00000000..caba9830
--- /dev/null
+++ b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)}
\ No newline at end of file
-- 
2.46.0

[PATCH v4 13/13] meta-arm: Add UEFI Secure Boot test

[Javier Tia]

Add a test to verify UEFI Secure Boot is enabled

Run the test:

kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 ci/qemuarm64-secureboot.yml                   |  2 ++
 .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++++++
 .../core-image-minimal-uefi-secureboot.inc    |  6 +++-
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py

diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
index 03281a08..3eb8c20c 100644
--- a/ci/qemuarm64-secureboot.yml
+++ b/ci/qemuarm64-secureboot.yml
@@ -11,6 +11,8 @@ local_conf_header:
   optee: |
     IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
     TEST_SUITES:append = " optee ftpm"
+  uefi_secure_boot: |
+    TEST_SUITES:append = " uefi_secure_boot"
 
 machine: qemuarm64-secureboot
 
diff --git a/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
new file mode 100644
index 00000000..4a62b54c
--- /dev/null
+++ b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
@@ -0,0 +1,32 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+import os
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.oetimeout import OETimeout
+
+
+class UEFI_SB_TestSuite(OERuntimeTestCase):
+    """
+    Validate Secure Boot is Enabled
+    """
+
+    @OETimeout(1300)
+    def test_uefi_secure_boot(self):
+        # Validate Secure Boot is enabled by checking
+        # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
+        # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
+        # identifier for the Secure Boot UEFI variable. By checking the value of
+        # this variable, specifically
+        # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
+        # whether Secure Boot is enabled or not. This variable is set by the
+        # UEFI firmware to indicate the current Secure Boot state. If the
+        # variable is set to a value of '0x1' (or '1'), it indicates that Secure
+        # Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
+        # it indicates that Secure Boot is disabled.
+        cmd = "efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot"
+        status, output = self.target.run(cmd, timeout=120)
+        self.assertEqual(output, "1", msg="\n".join([cmd, output]))
diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
index e5cf7760..ce64b8b5 100644
--- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
+++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
@@ -10,4 +10,8 @@ QB_DEFAULT_KERNEL = "none"
 
 KERNEL_IMAGETYPE = "Image"
 
-IMAGE_INSTALL += "systemd systemd-boot"
+IMAGE_INSTALL += "systemd systemd-boot util-linux coreutils efivar"
+
+inherit extrausers
+
+EXTRA_IMAGE_FEATURES += "allow-root-login empty-root-password"
-- 
2.46.0

Re: [PATCH v4 00/13] qemuarm64-secureboot: Add UEFI Secure Boot

[Jon Mason]

Looks like this series is not building for me.  I'm seeing the
following error:

ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found                     | ETA:  0:00:12
The following paths were searched:
/builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
ERROR: Parsing halted due to errors, see error messages above                                                                                                                                  | ETA:  0:00:14
ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found
The following paths were searched:
/builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found
The following paths were searched:
/builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key

I've not looked into it, but it's being seen on mulitple setups and is
trivial to replicate with:
kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml

Thanks,
Jon


On Thu, Aug 29, 2024 at 10:31:56AM -0600, Javier Tia wrote:
> Hi,
> 
> Addressing comments from patch series v3.
> 
> A backport from meta-ts with the minimal changes to add UEFI Secure Boot
> into qemuarm64-secureboot machine.
> 
> Requirements:
> 
>   - Create a UEFI disk partition to copy EFI apps.
> 
>   - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel.
> 
>   - UEFI keys are to be stored in U-Boot and used to sign systemd-boot
>     and Linux kernel images.
> 
>   - Add systemd as Init manager to auto-mount efivarfs.
> 
> Introduces uefi-secureboot machine feature.
> 
> UEFI keys must be genereated in order to be added to U-Boot. Sign both
> systemd-boot EFI app and Linux kernel image.
> 
> Build and verification steps:
> 
> $ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'
> 
> ---
> 
> Changes since v3:
> - For image creation use core-image-minimal, instead of core-image-base.
> 
> Changes since v2:
> - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap".
> 
> Changes since v1:
> - Rework all subject commits to follow OE, Yocto, and meta-arm guidelines.
> - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys.
> - Add an OE test to validate UEFI Secure Boot.
> - Simplify gen_uefi_keys.sh to avoid code repetition.
> - Replace grub with systemd-boot.
> - Simplify signing binary images with sbsign class.
> - Set OE branch to Scarthgap.
> 
> Changes since the v0:
> - Remove u-boot recipe.
> - Split the change in several commits.
> - Remove sample UEFI keys.
> - Validate UEFI keys exist before building.
> - Insolate most of changes under uefi-secureboot machine feature.
> 
> Javier Tia (13):
>   qemuarm64-secureboot: Introduce uefi-secureboot machine feature
>   core-image-minimal: Use UEFI layout disk partitions
>   layer.conf: Introduce UEFI_SB_KEYS_DIR
>   uefi-sb-keys.bbclass: Add class to validate UEFI keys
>   sbsign.bbclass: Add class to sign binaries
>   core-image-minimal: Inherit uefi-sb-keys
>   meta-arm: Introduce gen-uefi-sb-keys.bb recipe
>   u-boot: Setup UEFI and Secure Boot
>   qemuarm64-secureboot: Add meta-secure-core layer as dependency
>   linux-yocto: Setup UEFI and sign kernel image
>   systemd: Add UEFI support
>   systemd-boot: Use it as bootloader & sign UEFI image
>   meta-arm: Add UEFI Secure Boot test
> 
>  ci/qemuarm64-secureboot.yml                   | 14 ++++---
>  .../u-boot/u-boot-qemuarm64-secureboot.inc    | 18 +++++++++
>  .../u-boot/u-boot/uefi-secureboot.cfg         | 10 +++++
>  .../recipes-bsp/u-boot/u-boot_%.bbappend      |  2 +-
>  meta-arm-bsp/wic/efi-disk-no-swap.wks.in      |  2 +-
>  meta-arm/classes/sbsign.bbclass               | 39 +++++++++++++++++++
>  meta-arm/classes/uefi-sb-keys.bbclass         | 24 ++++++++++++
>  meta-arm/conf/layer.conf                      |  2 +
>  .../conf/machine/qemuarm64-secureboot.conf    |  8 ++++
>  .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++
>  meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++
>  .../core-image-minimal-uefi-secureboot.inc    | 17 ++++++++
>  .../images/core-image-minimal.bbappend        |  1 +
>  .../systemd/systemd-boot-uefi-secureboot.inc  | 12 ++++++
>  .../systemd/systemd-boot_%.bbappend           |  1 +
>  meta-arm/recipes-core/systemd/systemd-efi.inc |  1 +
>  .../recipes-core/systemd/systemd_%.bbappend   |  1 +
>  .../linux/linux-yocto%.bbappend               |  2 +
>  .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++
>  meta-arm/uefi-sb-keys/.gitignore              |  4 ++
>  meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 33 ++++++++++++++++
>  21 files changed, 261 insertions(+), 7 deletions(-)
>  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
>  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
>  create mode 100644 meta-arm/classes/sbsign.bbclass
>  create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
>  create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
>  create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
>  create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
>  create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend
>  create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
>  create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
>  create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
>  create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
>  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
>  create mode 100644 meta-arm/uefi-sb-keys/.gitignore
>  create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> 
> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 00/13] qemuarm64-secureboot: Add UEFI Secure Boot

[Mikko Rapeli]

Hi,

On Thu, Aug 29, 2024 at 11:06:26PM -0400, Jon Mason wrote:
> Looks like this series is not building for me.  I'm seeing the
> following error:
> 
> ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found                     | ETA:  0:00:12
> The following paths were searched:
> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> ERROR: Parsing halted due to errors, see error messages above                                                                                                                                  | ETA:  0:00:14
> ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found
> The following paths were searched:
> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found
> The following paths were searched:
> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> 
> I've not looked into it, but it's being seen on mulitple setups and is
> trivial to replicate with:
> kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml

I think this is the secure boot key generation. You should run
meta-arm/uefi-sb-keys/gen_uefi_keys.sh in meta-arm/uefi-sb-keys before
building, or have some other way of distributing the keys to build machines.

This could be part of a recipe but that would be fully non-reproducible.

Maybe there is some kas way of running this script before bitbake build
if the key files are not there?

Cheers,

-Mikko
 
> Thanks,
> Jon
> 
> 
> On Thu, Aug 29, 2024 at 10:31:56AM -0600, Javier Tia wrote:
> > Hi,
> > 
> > Addressing comments from patch series v3.
> > 
> > A backport from meta-ts with the minimal changes to add UEFI Secure Boot
> > into qemuarm64-secureboot machine.
> > 
> > Requirements:
> > 
> >   - Create a UEFI disk partition to copy EFI apps.
> > 
> >   - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel.
> > 
> >   - UEFI keys are to be stored in U-Boot and used to sign systemd-boot
> >     and Linux kernel images.
> > 
> >   - Add systemd as Init manager to auto-mount efivarfs.
> > 
> > Introduces uefi-secureboot machine feature.
> > 
> > UEFI keys must be genereated in order to be added to U-Boot. Sign both
> > systemd-boot EFI app and Linux kernel image.
> > 
> > Build and verification steps:
> > 
> > $ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'
> > 
> > ---
> > 
> > Changes since v3:
> > - For image creation use core-image-minimal, instead of core-image-base.
> > 
> > Changes since v2:
> > - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap".
> > 
> > Changes since v1:
> > - Rework all subject commits to follow OE, Yocto, and meta-arm guidelines.
> > - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys.
> > - Add an OE test to validate UEFI Secure Boot.
> > - Simplify gen_uefi_keys.sh to avoid code repetition.
> > - Replace grub with systemd-boot.
> > - Simplify signing binary images with sbsign class.
> > - Set OE branch to Scarthgap.
> > 
> > Changes since the v0:
> > - Remove u-boot recipe.
> > - Split the change in several commits.
> > - Remove sample UEFI keys.
> > - Validate UEFI keys exist before building.
> > - Insolate most of changes under uefi-secureboot machine feature.
> > 
> > Javier Tia (13):
> >   qemuarm64-secureboot: Introduce uefi-secureboot machine feature
> >   core-image-minimal: Use UEFI layout disk partitions
> >   layer.conf: Introduce UEFI_SB_KEYS_DIR
> >   uefi-sb-keys.bbclass: Add class to validate UEFI keys
> >   sbsign.bbclass: Add class to sign binaries
> >   core-image-minimal: Inherit uefi-sb-keys
> >   meta-arm: Introduce gen-uefi-sb-keys.bb recipe
> >   u-boot: Setup UEFI and Secure Boot
> >   qemuarm64-secureboot: Add meta-secure-core layer as dependency
> >   linux-yocto: Setup UEFI and sign kernel image
> >   systemd: Add UEFI support
> >   systemd-boot: Use it as bootloader & sign UEFI image
> >   meta-arm: Add UEFI Secure Boot test
> > 
> >  ci/qemuarm64-secureboot.yml                   | 14 ++++---
> >  .../u-boot/u-boot-qemuarm64-secureboot.inc    | 18 +++++++++
> >  .../u-boot/u-boot/uefi-secureboot.cfg         | 10 +++++
> >  .../recipes-bsp/u-boot/u-boot_%.bbappend      |  2 +-
> >  meta-arm-bsp/wic/efi-disk-no-swap.wks.in      |  2 +-
> >  meta-arm/classes/sbsign.bbclass               | 39 +++++++++++++++++++
> >  meta-arm/classes/uefi-sb-keys.bbclass         | 24 ++++++++++++
> >  meta-arm/conf/layer.conf                      |  2 +
> >  .../conf/machine/qemuarm64-secureboot.conf    |  8 ++++
> >  .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++
> >  meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++
> >  .../core-image-minimal-uefi-secureboot.inc    | 17 ++++++++
> >  .../images/core-image-minimal.bbappend        |  1 +
> >  .../systemd/systemd-boot-uefi-secureboot.inc  | 12 ++++++
> >  .../systemd/systemd-boot_%.bbappend           |  1 +
> >  meta-arm/recipes-core/systemd/systemd-efi.inc |  1 +
> >  .../recipes-core/systemd/systemd_%.bbappend   |  1 +
> >  .../linux/linux-yocto%.bbappend               |  2 +
> >  .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++
> >  meta-arm/uefi-sb-keys/.gitignore              |  4 ++
> >  meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 33 ++++++++++++++++
> >  21 files changed, 261 insertions(+), 7 deletions(-)
> >  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
> >  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
> >  create mode 100644 meta-arm/classes/sbsign.bbclass
> >  create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
> >  create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
> >  create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
> >  create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> >  create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend
> >  create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
> >  create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
> >  create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
> >  create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
> >  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
> >  create mode 100644 meta-arm/uefi-sb-keys/.gitignore
> >  create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> > 
> > -- 
> > 2.46.0
> > 
> > 

Re: [PATCH v4 00/13] qemuarm64-secureboot: Add UEFI Secure Boot

[Jon Mason]

On Fri, Aug 30, 2024 at 09:10:46AM +0300, Mikko Rapeli wrote:
> Hi,
> 
> On Thu, Aug 29, 2024 at 11:06:26PM -0400, Jon Mason wrote:
> > Looks like this series is not building for me.  I'm seeing the
> > following error:
> > 
> > ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found                     | ETA:  0:00:12
> > The following paths were searched:
> > /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> > ERROR: Parsing halted due to errors, see error messages above                                                                                                                                  | ETA:  0:00:14
> > ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found
> > The following paths were searched:
> > /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> > ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found
> > The following paths were searched:
> > /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> > 
> > I've not looked into it, but it's being seen on mulitple setups and is
> > trivial to replicate with:
> > kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml
> 
> I think this is the secure boot key generation. You should run
> meta-arm/uefi-sb-keys/gen_uefi_keys.sh in meta-arm/uefi-sb-keys before
> building, or have some other way of distributing the keys to build machines.
> 
> This could be part of a recipe but that would be fully non-reproducible.

Honestly, I don't even look at the patches if it doesn't pass CI.  It
not generating keys as part of the build seems like a deal breaker.

> Maybe there is some kas way of running this script before bitbake build
> if the key files are not there?

It is possible, but trying to add it is going to be difficult based on
the rewrites that would be necessary based on the way the
.gitlab-ci.yml file is laid out.

Also, are we expecting a developer to know to run this and do this
every time, or are we expecting to generate the keys once and reuse
them?  Even if the latter, i think generating them as part of the
build is logical (perhaps with a detection for existing keys in the
directory or something).

Is it not possible to have some kind of bbappend on u-boot that adds a
dependency on gen-uefi-sb-keys.bb and calls the script?

Thanks,
Jon

> 
> Cheers,
> 
> -Mikko
>  
> > Thanks,
> > Jon
> > 
> > 
> > On Thu, Aug 29, 2024 at 10:31:56AM -0600, Javier Tia wrote:
> > > Hi,
> > > 
> > > Addressing comments from patch series v3.
> > > 
> > > A backport from meta-ts with the minimal changes to add UEFI Secure Boot
> > > into qemuarm64-secureboot machine.
> > > 
> > > Requirements:
> > > 
> > >   - Create a UEFI disk partition to copy EFI apps.
> > > 
> > >   - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel.
> > > 
> > >   - UEFI keys are to be stored in U-Boot and used to sign systemd-boot
> > >     and Linux kernel images.
> > > 
> > >   - Add systemd as Init manager to auto-mount efivarfs.
> > > 
> > > Introduces uefi-secureboot machine feature.
> > > 
> > > UEFI keys must be genereated in order to be added to U-Boot. Sign both
> > > systemd-boot EFI app and Linux kernel image.
> > > 
> > > Build and verification steps:
> > > 
> > > $ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'
> > > 
> > > ---
> > > 
> > > Changes since v3:
> > > - For image creation use core-image-minimal, instead of core-image-base.
> > > 
> > > Changes since v2:
> > > - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap".
> > > 
> > > Changes since v1:
> > > - Rework all subject commits to follow OE, Yocto, and meta-arm guidelines.
> > > - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys.
> > > - Add an OE test to validate UEFI Secure Boot.
> > > - Simplify gen_uefi_keys.sh to avoid code repetition.
> > > - Replace grub with systemd-boot.
> > > - Simplify signing binary images with sbsign class.
> > > - Set OE branch to Scarthgap.
> > > 
> > > Changes since the v0:
> > > - Remove u-boot recipe.
> > > - Split the change in several commits.
> > > - Remove sample UEFI keys.
> > > - Validate UEFI keys exist before building.
> > > - Insolate most of changes under uefi-secureboot machine feature.
> > > 
> > > Javier Tia (13):
> > >   qemuarm64-secureboot: Introduce uefi-secureboot machine feature
> > >   core-image-minimal: Use UEFI layout disk partitions
> > >   layer.conf: Introduce UEFI_SB_KEYS_DIR
> > >   uefi-sb-keys.bbclass: Add class to validate UEFI keys
> > >   sbsign.bbclass: Add class to sign binaries
> > >   core-image-minimal: Inherit uefi-sb-keys
> > >   meta-arm: Introduce gen-uefi-sb-keys.bb recipe
> > >   u-boot: Setup UEFI and Secure Boot
> > >   qemuarm64-secureboot: Add meta-secure-core layer as dependency
> > >   linux-yocto: Setup UEFI and sign kernel image
> > >   systemd: Add UEFI support
> > >   systemd-boot: Use it as bootloader & sign UEFI image
> > >   meta-arm: Add UEFI Secure Boot test
> > > 
> > >  ci/qemuarm64-secureboot.yml                   | 14 ++++---
> > >  .../u-boot/u-boot-qemuarm64-secureboot.inc    | 18 +++++++++
> > >  .../u-boot/u-boot/uefi-secureboot.cfg         | 10 +++++
> > >  .../recipes-bsp/u-boot/u-boot_%.bbappend      |  2 +-
> > >  meta-arm-bsp/wic/efi-disk-no-swap.wks.in      |  2 +-
> > >  meta-arm/classes/sbsign.bbclass               | 39 +++++++++++++++++++
> > >  meta-arm/classes/uefi-sb-keys.bbclass         | 24 ++++++++++++
> > >  meta-arm/conf/layer.conf                      |  2 +
> > >  .../conf/machine/qemuarm64-secureboot.conf    |  8 ++++
> > >  .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++
> > >  meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++
> > >  .../core-image-minimal-uefi-secureboot.inc    | 17 ++++++++
> > >  .../images/core-image-minimal.bbappend        |  1 +
> > >  .../systemd/systemd-boot-uefi-secureboot.inc  | 12 ++++++
> > >  .../systemd/systemd-boot_%.bbappend           |  1 +
> > >  meta-arm/recipes-core/systemd/systemd-efi.inc |  1 +
> > >  .../recipes-core/systemd/systemd_%.bbappend   |  1 +
> > >  .../linux/linux-yocto%.bbappend               |  2 +
> > >  .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++
> > >  meta-arm/uefi-sb-keys/.gitignore              |  4 ++
> > >  meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 33 ++++++++++++++++
> > >  21 files changed, 261 insertions(+), 7 deletions(-)
> > >  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
> > >  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
> > >  create mode 100644 meta-arm/classes/sbsign.bbclass
> > >  create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
> > >  create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
> > >  create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
> > >  create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> > >  create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend
> > >  create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
> > >  create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
> > >  create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
> > >  create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
> > >  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
> > >  create mode 100644 meta-arm/uefi-sb-keys/.gitignore
> > >  create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> > > 
> > > -- 
> > > 2.46.0
> > > 
> > > 
> 

Re: [PATCH v4 03/13] layer.conf: Introduce UEFI_SB_KEYS_DIR

[Jon Mason]

On Thu, Aug 29, 2024 at 10:31:59AM -0600, Javier Tia wrote:
> UEFI_SB_KEYS_DIR saves UEFI keys path.
> 
> To avoid security issues, UEFI keys are not provided and they can be
> generated by gen_uefi_keys.sh script.
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  meta-arm/conf/layer.conf               |  2 ++
>  meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++
>  2 files changed, 37 insertions(+)
>  create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> 
> diff --git a/meta-arm/conf/layer.conf b/meta-arm/conf/layer.conf
> index 9e9c9dbd..2854dd69 100644
> --- a/meta-arm/conf/layer.conf
> +++ b/meta-arm/conf/layer.conf
> @@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet"
>  addpylib ${LAYERDIR}/lib oeqa
>  
>  WARN_QA:append:layer-meta-arm = " patch-status"
> +
> +UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"

I'm expecting the keys to be unique for each machine build.  If so,
shouldn't the keys live in the deploy directory (assuming we want to
reference them or reuse them) or the destination/work dir?  This would
also remove the need to have the gitignore file, which I don't think
is correct to have.

> \ No newline at end of file
> diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> new file mode 100755
> index 00000000..fc7f25c9
> --- /dev/null
> +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> @@ -0,0 +1,35 @@
> +#/bin/sh
> +
> +set -eux
> +
> +#Create PK
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650

Here and below, do we want to say these are Linaro keys?  I'm not
seeing anywhere else that checks (but I don't know this well enough to
know if it does somewhere else).  If not, should we do something else
like "OpenEmbedded"?

> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
> +
> +#Create KEK
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
> +
> +#Create DB
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
> +sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
> +
> +#Create DBX
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
> +cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
> +sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
> +
> +#Sign image
> +#sbsign --key db.key --cert db.crt Image

Here and below are commented out.  Is this intentional?  If so, then
why are they being kept in here (e.g., larger commenets needed)?

> +#Digest image
> +#hash-to-efi-sig-list Image db_Image.hash
> +#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
> +
> +#Empty cert for testing
> +touch noPK.esl
> +sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
> +
> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 04/13] uefi-sb-keys.bbclass: Add class to validate UEFI keys

[Jon Mason]

On Thu, Aug 29, 2024 at 10:32:00AM -0600, Javier Tia wrote:
> Without UEFI keys, signing will fail and the OS will not boot.

I think this can be squashed with the previous commit.

Thanks,
Jon

> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++++++++++++++
>  1 file changed, 24 insertions(+)
>  create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
> 
> diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass
> new file mode 100644
> index 00000000..e800b4c6
> --- /dev/null
> +++ b/meta-arm/classes/uefi-sb-keys.bbclass
> @@ -0,0 +1,24 @@
> +# Validate UEFI keys
> +python __anonymous () {
> +    if d.getVar("UEFI_SB_KEYS_DIR", False) is None:
> +        raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.")
> +
> +    # keys used for UEFI secure boot
> +    uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR")
> +
> +    keys_to_check = [
> +        uefi_sb_keys + "/PK.esl",
> +        uefi_sb_keys + "/KEK.esl",
> +        uefi_sb_keys + "/dbx.esl",
> +        uefi_sb_keys + "/db.esl",
> +        uefi_sb_keys + "/db.key",
> +        uefi_sb_keys + "/db.crt",
> +    ]
> +
> +    missing_keys = [f for f in keys_to_check if not os.path.exists(f)]
> +
> +    if missing_keys:
> +        raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), )
> +            + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys)
> +
> +}
> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 05/13] sbsign.bbclass: Add class to sign binaries

[Jon Mason]

On Thu, Aug 29, 2024 at 10:32:01AM -0600, Javier Tia wrote:
> A lot of recipes are using these same steps to sign binaries
> for UEFI secure boot.

Okay, I'm being overly nitpicky here.  But SB means "sign binary",
right?  So this is "sign binary sign"?  I have a mild concern of name
space of "SB" and I think it would generally be more obvious if "sb"
became "signbinary" or something similar.  I don't have very strong
feelings about it.  So feel free to ignore if you disagree.

Also, I think this could be squashed with the previous (as I'm having
to use a local git branch to review since these patches are split too
small).

Thanks,
Jon

> 
> Authored-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++++++++++++++++
>  1 file changed, 39 insertions(+)
>  create mode 100644 meta-arm/classes/sbsign.bbclass
> 
> diff --git a/meta-arm/classes/sbsign.bbclass b/meta-arm/classes/sbsign.bbclass
> new file mode 100644
> index 00000000..a99c0218
> --- /dev/null
> +++ b/meta-arm/classes/sbsign.bbclass
> @@ -0,0 +1,39 @@
> +# Sign binaries for UEFI secure boot
> +# Usage in recipes:
> +#
> +# Set key and cert files in recipe or machine/distro config:
> +# SBSIGN_KEY = "db.key"
> +# SBSIGN_CERT = "db.crt"
> +#
> +# Set binary to sign per recipe:
> +# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign"
> +#
> +# Then call do_sbsign() in correct stage of the build
> +# do_compile:append() {
> +#     do_sbsign
> +# }
> +
> +DEPENDS += "sbsigntool-native"
> +
> +SBSIGN_KEY ?= "db.key"
> +SBSIGN_CERT ?= "db.crt"
> +SBSIGN_TARGET_BINARY ?= "binary_to_sign"
> +
> +# makes sure changed keys trigger rebuild/re-signing
> +SRC_URI += "\
> +    file://${SBSIGN_KEY} \
> +    file://${SBSIGN_CERT} \
> +"
> +
> +# not adding as task since recipes may need to sign binaries at different
> +# stages. Instead they can call this function when needed by calling this function
> +do_sbsign() {
> +    bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}"
> +    ${STAGING_BINDIR_NATIVE}/sbsign \
> +        --key "${UNPACKDIR}/${SBSIGN_KEY}" \
> +        --cert "${UNPACKDIR}/${SBSIGN_CERT}" \
> +        --output  "${SBSIGN_TARGET_BINARY}.signed" \
> +        "${SBSIGN_TARGET_BINARY}"
> +    cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned"
> +    cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}"
> +}
> \ No newline at end of file
> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 06/13] core-image-minimal: Inherit uefi-sb-keys

[Jon Mason]

On Thu, Aug 29, 2024 at 10:32:02AM -0600, Javier Tia wrote:
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  .../recipes-core/images/core-image-minimal-uefi-secureboot.inc  | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> index 351e9030..2232d3b3 100644
> --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> @@ -1 +1,3 @@
> +inherit uefi-sb-keys
> +
>  WKS_FILE = "efi-disk-no-swap.wks.in"

This should be squashed with patch #2

> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 07/13] meta-arm: Introduce gen-uefi-sb-keys.bb recipe

[Jon Mason]

On Thu, Aug 29, 2024 at 10:32:03AM -0600, Javier Tia wrote:
> Generate a new set of keys on build time. It avoids to use same keys
> which could generate a security issue.

Squash with patch #3 and #4

> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++
>  meta-arm/uefi-sb-keys/.gitignore              |  4 ++
>  meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 56 +++++++++----------
>  3 files changed, 57 insertions(+), 29 deletions(-)
>  create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
>  create mode 100644 meta-arm/uefi-sb-keys/.gitignore
> 
> diff --git a/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
> new file mode 100644
> index 00000000..a4ae6d87
> --- /dev/null
> +++ b/meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
> @@ -0,0 +1,26 @@
> +# SPDX-License-Identifier: MIT
> +
> +SUMMARY = "Generate UEFI keys for secure boot"
> +LICENSE = "MIT"
> +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
> +
> +DEPENDS += "bash-native"
> +DEPENDS += "coreutils-native"
> +DEPENDS += "efitools-native"
> +DEPENDS += "openssl-native"
> +
> +SRC_URI = "file://${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh"
> +
> +UNPACKDIR = "${S}"
> +
> +do_fetch[noexec] = "1"
> +do_patch[noexec] = "1"
> +do_compile[noexec] = "1"
> +do_configure[noexec] = "1"
> +
> +do_install() {
> +    ${UEFI_SB_KEYS_DIR}/gen_uefi_keys.sh ${UEFI_SB_KEYS_DIR}
> +}
> +
> +FILES:${PN} = "${UEFI_SB_KEYS_DIR}/*.key"
> +FILES:${PN} += "${UEFI_SB_KEYS_DIR}/*.crt"
> diff --git a/meta-arm/uefi-sb-keys/.gitignore b/meta-arm/uefi-sb-keys/.gitignore
> new file mode 100644
> index 00000000..f8669919
> --- /dev/null
> +++ b/meta-arm/uefi-sb-keys/.gitignore
> @@ -0,0 +1,4 @@
> +*.auth
> +*.crt
> +*.esl
> +*.key
> \ No newline at end of file
> diff --git a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> index fc7f25c9..21e65c72 100755
> --- a/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> +++ b/meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> @@ -1,35 +1,33 @@
> -#/bin/sh
> +#!/bin/bash
> +#
> +# SPDX-License-Identifier: MIT
> +#
>  
>  set -eux
>  
> -#Create PK
> -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
> -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
> -sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
> +KEYS_PATH=${1:-./}
> +SUBJECT="/CN=Linaro_LEDGE/"
> +GUID="11111111-2222-3333-4444-123456789abc"
>  
> -#Create KEK
> -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
> -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
> -sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
> +openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \
> +    -keyout "${KEYS_PATH}"/PK.key -out "${KEYS_PATH}"/PK.crt \
> +    -nodes -days 3650
> +cert-to-efi-sig-list -g ${GUID} \
> +    "${KEYS_PATH}"/PK.crt "${KEYS_PATH}"/PK.esl
> +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \
> +    "${KEYS_PATH}"/PK "${KEYS_PATH}"/PK.esl "${KEYS_PATH}"/PK.auth
>  
> -#Create DB
> -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
> -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
> -sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
> -
> -#Create DBX
> -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
> -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
> -sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
> -
> -#Sign image
> -#sbsign --key db.key --cert db.crt Image
> -
> -#Digest image
> -#hash-to-efi-sig-list Image db_Image.hash
> -#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
> -
> -#Empty cert for testing
> -touch noPK.esl
> -sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
> +for key in KEK db dbx; do
> +    openssl req -x509 -sha256 -newkey rsa:2048 -subj "${SUBJECT}" \
> +        -keyout "${KEYS_PATH}"/${key}.key -out "${KEYS_PATH}"/${key}.crt \
> +        -nodes -days 3650
> +    cert-to-efi-sig-list -g ${GUID} \
> +        "${KEYS_PATH}"/${key}.crt "${KEYS_PATH}"/${key}.esl
> +    sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \
> +        "${KEYS_PATH}"/${key} "${KEYS_PATH}"/${key}.esl "${KEYS_PATH}"/${key}.auth
> +done
>  
> +# Empty cert for testing
> +touch "${KEYS_PATH}"/noPK.esl
> +sign-efi-sig-list -c "${KEYS_PATH}"/PK.crt -k "${KEYS_PATH}"/PK.key \
> +    "${KEYS_PATH}"/PK "${KEYS_PATH}"/noPK.esl "${KEYS_PATH}"/noPK.auth
> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 08/13] u-boot: Setup UEFI and Secure Boot

[Jon Mason]

On Thu, Aug 29, 2024 at 10:32:04AM -0600, Javier Tia wrote:
> Add U-Boot minimal UEFI definitions.
> 
> Embedded UEFI variables with the keys previously generated. It's to
> enable UEFI Secure Boot and verify the authenticity of the firmware and
> operating system.
> 
> When U-Boot is built with UEFI support, it includes a set of efivars
> that are used to store the Secure Boot variables. These efivars are
> embedded in the U-Boot binary and are stored in the flash memory of the
> system.
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  .../u-boot/u-boot-qemuarm64-secureboot.inc     | 18 ++++++++++++++++++
>  .../u-boot/u-boot/uefi-secureboot.cfg          | 10 ++++++++++
>  .../recipes-bsp/u-boot/u-boot_%.bbappend       |  2 +-
>  3 files changed, 29 insertions(+), 1 deletion(-)
>  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
>  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
> 
> diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
> new file mode 100644
> index 00000000..ffad08e4
> --- /dev/null
> +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
> @@ -0,0 +1,18 @@
> +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
> +
> +SRC_URI += "file://uefi-secureboot.cfg"
> +
> +UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm"
> +UBOOT_ENV_NAME = "qemu-arm.env"

I'm not seeing these variable referenced anywhere (but I could be
missing it).  Per my comment below, if removed this could be generic.

> +
> +DEPENDS += 'python3-pyopenssl-native'
> +
> +do_compile:prepend() {
> +    export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
> +
> +    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk  -d "${UEFI_SB_KEYS_DIR}"/PK.esl  -t file
> +    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file
> +    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db  -d "${UEFI_SB_KEYS_DIR}"/db.esl  -t file
> +    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file
> +    "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
> +}
> diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
> new file mode 100644
> index 00000000..d2edb5fb
> --- /dev/null
> +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
> @@ -0,0 +1,10 @@
> +CONFIG_CMD_BOOTMENU=y
> +CONFIG_USE_BOOTCOMMAND=y
> +CONFIG_BOOTCOMMAND="bootmenu"
> +CONFIG_USE_PREBOOT=y
> +CONFIG_EFI_VAR_BUF_SIZE=65536
> +CONFIG_FIT_SIGNATURE=y
> +CONFIG_EFI_SECURE_BOOT=y
> +CONFIG_EFI_VARIABLES_PRESEED=y
> +CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
> +CONFIG_PREBOOT_DEFINED=y
> \ No newline at end of file
> diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
> index 11f332ad..ee815b6a 100644
> --- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
> +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
> @@ -5,6 +5,6 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc"
>  MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc"
>  MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc"
>  MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc"
> +MACHINE_U-BOOT_REQUIRE += "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}"

This seems like it should be generic, but references
"qemuarm64-secureboot"

>  
>  require ${MACHINE_U-BOOT_REQUIRE}
> -
> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 09/13] qemuarm64-secureboot: Add meta-secure-core layer as dependency

[Jon Mason]

On Thu, Aug 29, 2024 at 10:32:05AM -0600, Javier Tia wrote:
> meta-secure-core is required because of sbsigntool.

This should be combined with 13, though I think it should be a unique
yml (and I think the entire machine feature should be removed from
qemuarm64-secureboot machine conf and added to the CI matrix via a yml
and entry to .gitlab-ci.yml).

Thanks,
Jon

> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  ci/qemuarm64-secureboot.yml | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
> index fdde1e79..03281a08 100644
> --- a/ci/qemuarm64-secureboot.yml
> +++ b/ci/qemuarm64-secureboot.yml
> @@ -4,13 +4,15 @@ header:
>    version: 14
>    includes:
>      - ci/base.yml
> -
> -machine: qemuarm64-secureboot
> +    - ci/meta-openembedded.yml
> +    - ci/meta-secure-core.yml
>  
>  local_conf_header:
>    optee: |
>      IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
>      TEST_SUITES:append = " optee ftpm"
>  
> +machine: qemuarm64-secureboot
> +
>  target:
>    - core-image-minimal
> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 10/13] linux-yocto: Setup UEFI and sign kernel image

[Jon Mason]

On Thu, Aug 29, 2024 at 10:32:06AM -0600, Javier Tia wrote:
> efivarfs kernel module is required to access EFI vars.
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  .../core-image-minimal-uefi-secureboot.inc    |  8 ++++++++
>  .../linux/linux-yocto%.bbappend               |  2 ++
>  .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++++++++++++
>  3 files changed, 29 insertions(+)
>  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
> 
> diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> index 2232d3b3..06046f6e 100644
> --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> @@ -1,3 +1,11 @@
>  inherit uefi-sb-keys
>  
>  WKS_FILE = "efi-disk-no-swap.wks.in"
> +
> +# Detected by passing kernel parameter
> +QB_KERNEL_ROOT = ""
> +
> +# kernel is in the image, should not be loaded separately
> +QB_DEFAULT_KERNEL = "none"
> +

QB's are qemu testing variables.  I don't think they should be here.
Either move them to the machine conf, or the yml file, or make a
machine just for this based on qemuarm64-secureboot.

> +KERNEL_IMAGETYPE = "Image"
> diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
> index a287d0e1..29c21355 100644
> --- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
> +++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
> @@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \
>  
>  FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
>  require ${FFA_TRANSPORT_INCLUDE}
> +
> +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
> \ No newline at end of file
> diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
> new file mode 100644
> index 00000000..cb62fdee
> --- /dev/null
> +++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
> @@ -0,0 +1,19 @@
> +KERNEL_FEATURES += "cfg/efi-ext.scc"
> +
> +DEPENDS += 'gen-uefi-sb-keys'
> +
> +inherit sbsign
> +
> +SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key"
> +SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt"
> +
> +# shell variable set inside do_compile task
> +SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE"
> +
> +do_compile:append() {
> +    KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit)
> +    do_sbsign
> +}
> +
> +RRECOMMENDS:${PN} += "kernel-module-efivarfs"
> +RRECOMMENDS:${PN} += "kernel-module-efivars"
> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 11/13] systemd: Add UEFI support

[Jon Mason]

On Thu, Aug 29, 2024 at 10:32:07AM -0600, Javier Tia wrote:
> Signed-off-by: Javier Tia <javier.tia@linaro.org>

I'm going to want a HUGE comment on why systemd is required here.  Are
there some unique things in systemd that aren't present for sysvinit?
Also, I think the systemd patches should be squashed together.

Thanks,
Jon

> ---
>  meta-arm/conf/machine/qemuarm64-secureboot.conf              | 5 +++++
>  .../images/core-image-minimal-uefi-secureboot.inc            | 2 ++
>  meta-arm/recipes-core/systemd/systemd-efi.inc                | 1 +
>  meta-arm/recipes-core/systemd/systemd_%.bbappend             | 1 +
>  4 files changed, 9 insertions(+)
>  create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
>  create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
> 
> diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> index 2483c4ac..542d09a3 100644
> --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
> +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> @@ -22,4 +22,9 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
>  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
>  
>  MACHINE_FEATURES += "optee-ftpm"
> +MACHINE_FEATURES += "efi"
>  MACHINE_FEATURES += "uefi-secureboot"
> +
> +INIT_MANAGER = "systemd"
> +DISTRO_FEATURES += "systemd"
> +DISTRO_FEATURES_NATIVE += "systemd"
> diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> index 06046f6e..07e315a3 100644
> --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> @@ -9,3 +9,5 @@ QB_KERNEL_ROOT = ""
>  QB_DEFAULT_KERNEL = "none"
>  
>  KERNEL_IMAGETYPE = "Image"
> +
> +IMAGE_INSTALL += "systemd"
> diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc
> new file mode 100644
> index 00000000..5572e51a
> --- /dev/null
> +++ b/meta-arm/recipes-core/systemd/systemd-efi.inc
> @@ -0,0 +1 @@
> +PACKAGECONFIG:append = " efi"
> diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend
> new file mode 100644
> index 00000000..660358c2
> --- /dev/null
> +++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend
> @@ -0,0 +1 @@
> +require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)}
> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 13/13] meta-arm: Add UEFI Secure Boot test

[Jon Mason]

On Thu, Aug 29, 2024 at 10:32:09AM -0600, Javier Tia wrote:
> Add a test to verify UEFI Secure Boot is enabled
> 
> Run the test:
> 
> kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  ci/qemuarm64-secureboot.yml                   |  2 ++
>  .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++++++
>  .../core-image-minimal-uefi-secureboot.inc    |  6 +++-
>  3 files changed, 39 insertions(+), 1 deletion(-)
>  create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
> 
> diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
> index 03281a08..3eb8c20c 100644
> --- a/ci/qemuarm64-secureboot.yml
> +++ b/ci/qemuarm64-secureboot.yml
> @@ -11,6 +11,8 @@ local_conf_header:
>    optee: |
>      IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
>      TEST_SUITES:append = " optee ftpm"
> +  uefi_secure_boot: |
> +    TEST_SUITES:append = " uefi_secure_boot"
>  
>  machine: qemuarm64-secureboot
>  
> diff --git a/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
> new file mode 100644
> index 00000000..4a62b54c
> --- /dev/null
> +++ b/meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
> @@ -0,0 +1,32 @@
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +import os
> +
> +from oeqa.runtime.case import OERuntimeTestCase
> +from oeqa.runtime.decorator.package import OEHasPackage
> +from oeqa.core.decorator.oetimeout import OETimeout
> +
> +
> +class UEFI_SB_TestSuite(OERuntimeTestCase):
> +    """
> +    Validate Secure Boot is Enabled
> +    """
> +
> +    @OETimeout(1300)
> +    def test_uefi_secure_boot(self):
> +        # Validate Secure Boot is enabled by checking
> +        # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
> +        # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
> +        # identifier for the Secure Boot UEFI variable. By checking the value of
> +        # this variable, specifically
> +        # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
> +        # whether Secure Boot is enabled or not. This variable is set by the
> +        # UEFI firmware to indicate the current Secure Boot state. If the
> +        # variable is set to a value of '0x1' (or '1'), it indicates that Secure
> +        # Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
> +        # it indicates that Secure Boot is disabled.
> +        cmd = "efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot"
> +        status, output = self.target.run(cmd, timeout=120)
> +        self.assertEqual(output, "1", msg="\n".join([cmd, output]))
> diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> index e5cf7760..ce64b8b5 100644
> --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> @@ -10,4 +10,8 @@ QB_DEFAULT_KERNEL = "none"
>  
>  KERNEL_IMAGETYPE = "Image"
>  
> -IMAGE_INSTALL += "systemd systemd-boot"
> +IMAGE_INSTALL += "systemd systemd-boot util-linux coreutils efivar"
> +
> +inherit extrausers
> +
> +EXTRA_IMAGE_FEATURES += "allow-root-login empty-root-password"

I don't think you want this.  testimage adds all that fun stuff, but
this is making part of the image, which is making it for all machines
that have this machine feature enabled (due to the previous patches in
this series).

Thanks,
Jon

> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 02/13] core-image-minimal: Use UEFI layout disk partitions

[Jon Mason]

On Thu, Aug 29, 2024 at 10:31:58AM -0600, Javier Tia wrote:
> - Use efi-disk-no-swap.wks.in disk definition to add expected UEFI disk
>   partitions configuration.
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  ci/qemuarm64-secureboot.yml                                 | 6 +++---
>  .../images/core-image-minimal-uefi-secureboot.inc           | 1 +
>  meta-arm/recipes-core/images/core-image-minimal.bbappend    | 1 +
>  3 files changed, 5 insertions(+), 3 deletions(-)
>  create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
>  create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend
> 
> diff --git a/ci/qemuarm64-secureboot.yml b/ci/qemuarm64-secureboot.yml
> index b26941e0..fdde1e79 100644
> --- a/ci/qemuarm64-secureboot.yml
> +++ b/ci/qemuarm64-secureboot.yml
> @@ -7,10 +7,10 @@ header:
>  
>  machine: qemuarm64-secureboot
>  
> -target:
> -  - core-image-base
> -
>  local_conf_header:
>    optee: |
>      IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
>      TEST_SUITES:append = " optee ftpm"
> +
> +target:
> +  - core-image-minimal
> diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> new file mode 100644
> index 00000000..351e9030
> --- /dev/null
> +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> @@ -0,0 +1 @@
> +WKS_FILE = "efi-disk-no-swap.wks.in"
> diff --git a/meta-arm/recipes-core/images/core-image-minimal.bbappend b/meta-arm/recipes-core/images/core-image-minimal.bbappend
> new file mode 100644
> index 00000000..46c00f00
> --- /dev/null
> +++ b/meta-arm/recipes-core/images/core-image-minimal.bbappend
> @@ -0,0 +1 @@
> +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'core-image-minimal-uefi-secureboot.inc', '', d)}

I don't think we want to do this.  This will only work with minimal
images (so no sato/graphics).  We're losing some of the package
testing we get on this unique machine because we're now minimal image.

This seems like it is just adding the WKS file, which should be part
of the machine config.

Thanks,
Jon


> \ No newline at end of file
> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 01/13] qemuarm64-secureboot: Introduce uefi-secureboot machine feature

[Jon Mason]

On Thu, Aug 29, 2024 at 10:31:57AM -0600, Javier Tia wrote:
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  meta-arm/conf/machine/qemuarm64-secureboot.conf | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> index 78a39c03..2483c4ac 100644
> --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
> +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> @@ -22,3 +22,4 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
>  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
>  
>  MACHINE_FEATURES += "optee-ftpm"
> +MACHINE_FEATURES += "uefi-secureboot"

This should be squashed into another patch.  I'm thinking there should
really just be 3.  

1.  Add support for UEFI secure boot to all of the packages (kernel,
u-boot, etc)
2.  add systemd (if it is really needed)
3.  Add support for UEFI secure boot to qemuarm64-secureboot

With an overall philosophy of "Each patch should do 1 unique thing and
be git bisectable".  As they are now, they are not in a bisectable
order, and are so small that I have to go back-and-forth between the
emails to understand the concepts and make sure there is nothing
missing overall.  I apologize for not saying this in prior revisions,
but per my previous email, I don't really look at patches until they
pass CI.

Thanks,
Jon

> -- 
> 2.46.0
> 
> 

Re: [PATCH v4 05/13] sbsign.bbclass: Add class to sign binaries

[Mikko Rapeli]

Hi,

On Fri, Aug 30, 2024 at 10:12:05AM -0400, Jon Mason wrote:
> On Thu, Aug 29, 2024 at 10:32:01AM -0600, Javier Tia wrote:
> > A lot of recipes are using these same steps to sign binaries
> > for UEFI secure boot.
> 
> Okay, I'm being overly nitpicky here.  But SB means "sign binary",
> right?  So this is "sign binary sign"?  I have a mild concern of name
> space of "SB" and I think it would generally be more obvious if "sb"
> became "signbinary" or something similar.  I don't have very strong
> feelings about it.  So feel free to ignore if you disagree.

sbsign is the name of the tool used to sign these binaries. Another tool,
pesign can also be used. For example systemd refers to sbsign and defaults
to it
https://www.freedesktop.org/software/systemd/man/latest/ukify.html#SecureBootSigningTool=SIGNER

Hence the name of this class to sbsign and variables with SBSIGN prefix.

> Also, I think this could be squashed with the previous (as I'm having
> to use a local git branch to review since these patches are split too
> small).

Ok.

Cheers,

-Mikko

> Thanks,
> Jon
> 
> > 
> > Authored-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > Signed-off-by: Javier Tia <javier.tia@linaro.org>
> > ---
> >  meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++++++++++++++++
> >  1 file changed, 39 insertions(+)
> >  create mode 100644 meta-arm/classes/sbsign.bbclass
> > 
> > diff --git a/meta-arm/classes/sbsign.bbclass b/meta-arm/classes/sbsign.bbclass
> > new file mode 100644
> > index 00000000..a99c0218
> > --- /dev/null
> > +++ b/meta-arm/classes/sbsign.bbclass
> > @@ -0,0 +1,39 @@
> > +# Sign binaries for UEFI secure boot
> > +# Usage in recipes:
> > +#
> > +# Set key and cert files in recipe or machine/distro config:
> > +# SBSIGN_KEY = "db.key"
> > +# SBSIGN_CERT = "db.crt"
> > +#
> > +# Set binary to sign per recipe:
> > +# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign"
> > +#
> > +# Then call do_sbsign() in correct stage of the build
> > +# do_compile:append() {
> > +#     do_sbsign
> > +# }
> > +
> > +DEPENDS += "sbsigntool-native"
> > +
> > +SBSIGN_KEY ?= "db.key"
> > +SBSIGN_CERT ?= "db.crt"
> > +SBSIGN_TARGET_BINARY ?= "binary_to_sign"
> > +
> > +# makes sure changed keys trigger rebuild/re-signing
> > +SRC_URI += "\
> > +    file://${SBSIGN_KEY} \
> > +    file://${SBSIGN_CERT} \
> > +"
> > +
> > +# not adding as task since recipes may need to sign binaries at different
> > +# stages. Instead they can call this function when needed by calling this function
> > +do_sbsign() {
> > +    bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}"
> > +    ${STAGING_BINDIR_NATIVE}/sbsign \
> > +        --key "${UNPACKDIR}/${SBSIGN_KEY}" \
> > +        --cert "${UNPACKDIR}/${SBSIGN_CERT}" \
> > +        --output  "${SBSIGN_TARGET_BINARY}.signed" \
> > +        "${SBSIGN_TARGET_BINARY}"
> > +    cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned"
> > +    cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}"
> > +}
> > \ No newline at end of file
> > -- 
> > 2.46.0
> > 
> > 

Re: [PATCH v4 11/13] systemd: Add UEFI support

[Mikko Rapeli]

Hi,

On Fri, Aug 30, 2024 at 11:24:35AM -0400, Jon Mason wrote:
> On Thu, Aug 29, 2024 at 10:32:07AM -0600, Javier Tia wrote:
> > Signed-off-by: Javier Tia <javier.tia@linaro.org>
> 
> I'm going to want a HUGE comment on why systemd is required here.  Are
> there some unique things in systemd that aren't present for sysvinit?
> Also, I think the systemd patches should be squashed together.

Extending secure boot to userspace is a lot easier with systemd
than with sysvinit where custom scripts will need to be written
for all use cases.

systemd supports dm-verity and TPM devices for encryption usecases
out of the box. Enabling them is a lot easier than writing custom
scripts for sysvinit.

systemd also supports EUFI signing the UKI binaries which merge
kernel, command line and initrd which helps in bringing secure boot
towards rootfs.

Granted, none of these are specific to ARM64 device but these do need
UEFI firmware to work which are available from meta-arm for qemu
in qemuarm64-secureboot.

Cheers,

-Mikko

> Thanks,
> Jon
> 
> > ---
> >  meta-arm/conf/machine/qemuarm64-secureboot.conf              | 5 +++++
> >  .../images/core-image-minimal-uefi-secureboot.inc            | 2 ++
> >  meta-arm/recipes-core/systemd/systemd-efi.inc                | 1 +
> >  meta-arm/recipes-core/systemd/systemd_%.bbappend             | 1 +
> >  4 files changed, 9 insertions(+)
> >  create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
> >  create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
> > 
> > diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > index 2483c4ac..542d09a3 100644
> > --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > @@ -22,4 +22,9 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
> >  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> >  
> >  MACHINE_FEATURES += "optee-ftpm"
> > +MACHINE_FEATURES += "efi"
> >  MACHINE_FEATURES += "uefi-secureboot"
> > +
> > +INIT_MANAGER = "systemd"
> > +DISTRO_FEATURES += "systemd"
> > +DISTRO_FEATURES_NATIVE += "systemd"
> > diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> > index 06046f6e..07e315a3 100644
> > --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> > +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> > @@ -9,3 +9,5 @@ QB_KERNEL_ROOT = ""
> >  QB_DEFAULT_KERNEL = "none"
> >  
> >  KERNEL_IMAGETYPE = "Image"
> > +
> > +IMAGE_INSTALL += "systemd"
> > diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc
> > new file mode 100644
> > index 00000000..5572e51a
> > --- /dev/null
> > +++ b/meta-arm/recipes-core/systemd/systemd-efi.inc
> > @@ -0,0 +1 @@
> > +PACKAGECONFIG:append = " efi"
> > diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend
> > new file mode 100644
> > index 00000000..660358c2
> > --- /dev/null
> > +++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend
> > @@ -0,0 +1 @@
> > +require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)}
> > -- 
> > 2.46.0
> > 
> > 

Re: [PATCH v4 00/13] qemuarm64-secureboot: Add UEFI Secure Boot

[Javier Tia]

Hi,

On 8/30/24 7:24 AM, Jon Mason wrote:
> On Fri, Aug 30, 2024 at 09:10:46AM +0300, Mikko Rapeli wrote:
>> Hi,
>>
>> On Thu, Aug 29, 2024 at 11:06:26PM -0400, Jon Mason wrote:
>>> Looks like this series is not building for me.  I'm seeing the
>>> following error:
>>>
>>> ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found                     | ETA:  0:00:12
>>> The following paths were searched:
>>> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
>>> ERROR: Parsing halted due to errors, see error messages above                                                                                                                                  | ETA:  0:00:14
>>> ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found
>>> The following paths were searched:
>>> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
>>> ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found
>>> The following paths were searched:
>>> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
>>>
>>> I've not looked into it, but it's being seen on mulitple setups and is
>>> trivial to replicate with:
>>> kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml
>>
>> I think this is the secure boot key generation. You should run
>> meta-arm/uefi-sb-keys/gen_uefi_keys.sh in meta-arm/uefi-sb-keys before
>> building, or have some other way of distributing the keys to build machines.
>>
>> This could be part of a recipe but that would be fully non-reproducible.
> 
> Honestly, I don't even look at the patches if it doesn't pass CI.  It
> not generating keys as part of the build seems like a deal breaker.
> 
>> Maybe there is some kas way of running this script before bitbake build
>> if the key files are not there?
> 
> It is possible, but trying to add it is going to be difficult based on
> the rewrites that would be necessary based on the way the
> .gitlab-ci.yml file is laid out.
> 
> Also, are we expecting a developer to know to run this and do this
> every time, or are we expecting to generate the keys once and reuse
> them?  Even if the latter, i think generating them as part of the
> build is logical (perhaps with a detection for existing keys in the
> directory or something).
> 
> Is it not possible to have some kind of bbappend on u-boot that adds a
> dependency on gen-uefi-sb-keys.bb and calls the script?

I have added the keys generation as part of qemu64sb build. If keys are found, it will skip the keys generation. Also, it fixes the CI build error because of a design error in the keys generation. As long as the keys are the same, it will guarantee build reproducibility.

Pending to send patch series v5 addressing rest of Jon's comments.

» Javier Tia 🖋