Re: [PATCH v4 11/13] systemd: Add UEFI support

[Mikko Rapeli <mikko.rapeli@linaro.org>]

Hi,

On Fri, Aug 30, 2024 at 11:24:35AM -0400, Jon Mason wrote:
> On Thu, Aug 29, 2024 at 10:32:07AM -0600, Javier Tia wrote:
> > Signed-off-by: Javier Tia <javier.tia@linaro.org>
> 
> I'm going to want a HUGE comment on why systemd is required here.  Are
> there some unique things in systemd that aren't present for sysvinit?
> Also, I think the systemd patches should be squashed together.

Extending secure boot to userspace is a lot easier with systemd
than with sysvinit where custom scripts will need to be written
for all use cases.

systemd supports dm-verity and TPM devices for encryption usecases
out of the box. Enabling them is a lot easier than writing custom
scripts for sysvinit.

systemd also supports EUFI signing the UKI binaries which merge
kernel, command line and initrd which helps in bringing secure boot
towards rootfs.

Granted, none of these are specific to ARM64 device but these do need
UEFI firmware to work which are available from meta-arm for qemu
in qemuarm64-secureboot.

Cheers,

-Mikko

> Thanks,
> Jon
> 
> > ---
> >  meta-arm/conf/machine/qemuarm64-secureboot.conf              | 5 +++++
> >  .../images/core-image-minimal-uefi-secureboot.inc            | 2 ++
> >  meta-arm/recipes-core/systemd/systemd-efi.inc                | 1 +
> >  meta-arm/recipes-core/systemd/systemd_%.bbappend             | 1 +
> >  4 files changed, 9 insertions(+)
> >  create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
> >  create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
> > 
> > diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > index 2483c4ac..542d09a3 100644
> > --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> > @@ -22,4 +22,9 @@ WKS_FILE_DEPENDS = "trusted-firmware-a"
> >  IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> >  
> >  MACHINE_FEATURES += "optee-ftpm"
> > +MACHINE_FEATURES += "efi"
> >  MACHINE_FEATURES += "uefi-secureboot"
> > +
> > +INIT_MANAGER = "systemd"
> > +DISTRO_FEATURES += "systemd"
> > +DISTRO_FEATURES_NATIVE += "systemd"
> > diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> > index 06046f6e..07e315a3 100644
> > --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> > +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> > @@ -9,3 +9,5 @@ QB_KERNEL_ROOT = ""
> >  QB_DEFAULT_KERNEL = "none"
> >  
> >  KERNEL_IMAGETYPE = "Image"
> > +
> > +IMAGE_INSTALL += "systemd"
> > diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc
> > new file mode 100644
> > index 00000000..5572e51a
> > --- /dev/null
> > +++ b/meta-arm/recipes-core/systemd/systemd-efi.inc
> > @@ -0,0 +1 @@
> > +PACKAGECONFIG:append = " efi"
> > diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend
> > new file mode 100644
> > index 00000000..660358c2
> > --- /dev/null
> > +++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend
> > @@ -0,0 +1 @@
> > +require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)}
> > -- 
> > 2.46.0
> > 
> >