[PATCH 0/3] systemd uki support

[PATCH 0/3] systemd uki support

[Mikko Rapeli]

These changes enable building systemd uki images which combine
kernel, kernel command line, initrd and possibly signatures to
a single UEFI binary. This binary can be booted with UEFI firmware
and systemd-boot. No grub is needed and UEFI firmware and/or
systemd-boot provide possibilities for boot menus.
The uki binary can also be signed for UEFI secure boot
so the secure boot extends from firmware to kernel and initrd.
Binding secure boot to full userspace is then easier since for example
kernel command line and initrd contain the support needed to mount
encrypted dm-verity etc partitions, and/or create partitions on demand
with systemd-repart using device specific TPM devices for encryption.

Tested on qemuarm64-secureboot machine from meta-arm with changes to
support secure boot. Slightly different configuration tested on
multiple arm64 System Ready boards with UEFI firmware, real and firmware
based TPM devices.

Erik Schilling (1):
  systemd-tools: add recipe

Michelle Lin (1):
  uki.bbclass: add class for building Unified Kernel Images (UKI)

Mikko Rapeli (1):
  bitbake.conf: add getopt to HOSTTOOLS

 meta/classes-recipe/uki.bbclass               | 158 ++++++++++++++++++
 meta/conf/bitbake.conf                        |   2 +-
 .../systemd/systemd-tools_256.5.bb            |  41 +++++
 3 files changed, 200 insertions(+), 1 deletion(-)
 create mode 100644 meta/classes-recipe/uki.bbclass
 create mode 100644 meta/recipes-core/systemd/systemd-tools_256.5.bb

-- 
2.34.1

[PATCH 1/3] systemd-tools: add recipe

[Mikko Rapeli]

From: Erik Schilling <erik.schilling@linaro.org>

Provides systemd-tools-native recipe for ukify.py tooling.
Avoids full systemd native build which is not needed.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 .../systemd/systemd-tools_256.5.bb            | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd-tools_256.5.bb

diff --git a/meta/recipes-core/systemd/systemd-tools_256.5.bb b/meta/recipes-core/systemd/systemd-tools_256.5.bb
new file mode 100644
index 0000000000..f2e419ffe0
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd-tools_256.5.bb
@@ -0,0 +1,41 @@
+require systemd.inc
+FILESEXTRAPATHS =. "${FILE_DIRNAME}/systemd:"
+
+DEPENDS = " \
+    intltool-native \
+    libcap \
+    util-linux \
+    gperf-native \
+    python3-jinja2-native \
+    python3-pyelftools-native \
+    python3-pefile \
+"
+
+inherit meson pkgconfig gettext
+
+MESON_TARGET = "ukify"
+
+# Helper variables to clarify locations. This mirrors the logic in systemd's
+# build system.
+rootprefix ?= "${root_prefix}"
+rootlibdir ?= "${base_libdir}"
+rootlibexecdir = "${rootprefix}/lib"
+
+EXTRA_OEMESON += "-Dnobody-user=nobody \
+    -Dnobody-group=nogroup \
+    -Drootlibdir=${rootlibdir} \
+    -Drootprefix=${rootprefix} \
+    -Ddefault-locale=C \
+    -Dmode=release \
+    -Dsystem-alloc-uid-min=101 \
+    -Dsystem-uid-max=999 \
+    -Dsystem-alloc-gid-min=101 \
+    -Dsystem-gid-max=999 \
+"
+
+do_install() {
+    install -d ${D}${bindir}/
+    install -m 0755 ${S}/src/ukify/ukify.py ${D}${bindir}/ukify
+}
+
+BBCLASSEXTEND = "native"
-- 
2.34.1

Re: [OE-core] [PATCH 1/3] systemd-tools: add recipe

[Richard Purdie]

On Mon, 2024-09-02 at 12:41 +0300, Mikko Rapeli via
lists.openembedded.org wrote:
> From: Erik Schilling <erik.schilling@linaro.org>
> 
> Provides systemd-tools-native recipe for ukify.py tooling.
> Avoids full systemd native build which is not needed.
> 
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> ---
>  .../systemd/systemd-tools_256.5.bb            | 41
> +++++++++++++++++++
>  1 file changed, 41 insertions(+)
>  create mode 100644 meta/recipes-core/systemd/systemd-tools_256.5.bb
> 
> diff --git a/meta/recipes-core/systemd/systemd-tools_256.5.bb
> b/meta/recipes-core/systemd/systemd-tools_256.5.bb
> new file mode 100644
> index 0000000000..f2e419ffe0
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd-tools_256.5.bb
> @@ -0,0 +1,41 @@
> +require systemd.inc
> +FILESEXTRAPATHS =. "${FILE_DIRNAME}/systemd:"
> +
> +DEPENDS = " \
> +    intltool-native \
> +    libcap \
> +    util-linux \
> +    gperf-native \
> +    python3-jinja2-native \
> +    python3-pyelftools-native \
> +    python3-pefile \
> +"
> +
> +inherit meson pkgconfig gettext
> +
> +MESON_TARGET = "ukify"
> +
> +# Helper variables to clarify locations. This mirrors the logic in
> systemd's
> +# build system.
> +rootprefix ?= "${root_prefix}"
> +rootlibdir ?= "${base_libdir}"
> +rootlibexecdir = "${rootprefix}/lib"
> +
> +EXTRA_OEMESON += "-Dnobody-user=nobody \
> +    -Dnobody-group=nogroup \
> +    -Drootlibdir=${rootlibdir} \
> +    -Drootprefix=${rootprefix} \
> +    -Ddefault-locale=C \
> +    -Dmode=release \
> +    -Dsystem-alloc-uid-min=101 \
> +    -Dsystem-uid-max=999 \
> +    -Dsystem-alloc-gid-min=101 \
> +    -Dsystem-gid-max=999 \
> +"
> +
> +do_install() {
> +    install -d ${D}${bindir}/
> +    install -m 0755 ${S}/src/ukify/ukify.py ${D}${bindir}/ukify
> +}
> +
> +BBCLASSEXTEND = "native"

This will fail in CI as there is now maintainers file entry...

Cheers,

Richard

Re: [OE-core] [PATCH 1/3] systemd-tools: add recipe

[Mikko Rapeli]

Hi,

On Mon, Sep 02, 2024 at 10:59:22AM +0100, Richard Purdie wrote:
> This will fail in CI as there is now maintainers file entry...

Chen, since you are systemd maintainer, would you mind if I add
systemd-tools for you too? It's only the ukify python script
currently for native use cases at build time.

--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -795,6 +795,7 @@ RECIPE_MAINTAINER:pn-systemd-compat-units = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-systemd-machine-units = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-systemd-serialgetty = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-systemd-systemctl-native = "Chen Qi <Qi.Chen@windriver.com>"
+RECIPE_MAINTAINER:pn-systemd-tools-native = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-systemtap = "Victor Kamensky <victor.kamensky7@gmail.com>"
 RECIPE_MAINTAINER:pn-systemtap-native = "Victor Kamensky <victor.kamensky7@gmail.com>"
 RECIPE_MAINTAINER:pn-sysvinit = "Ross Burton <ross.burton@arm.com>"

Cheers,

-Mikko

Re: [OE-core] [PATCH 1/3] systemd-tools: add recipe

[Alexander Kanavin]

Wait. Isn't this ukify.py thingy already provided from
systemd-boot-native recipe?

Alex

On Mon, 2 Sept 2024 at 12:06, Mikko Rapeli via lists.openembedded.org
<mikko.rapeli=linaro.org@lists.openembedded.org> wrote:
>
> Hi,
>
> On Mon, Sep 02, 2024 at 10:59:22AM +0100, Richard Purdie wrote:
> > This will fail in CI as there is now maintainers file entry...
>
> Chen, since you are systemd maintainer, would you mind if I add
> systemd-tools for you too? It's only the ukify python script
> currently for native use cases at build time.
>
> --- a/meta/conf/distro/include/maintainers.inc
> +++ b/meta/conf/distro/include/maintainers.inc
> @@ -795,6 +795,7 @@ RECIPE_MAINTAINER:pn-systemd-compat-units = "Chen Qi <Qi.Chen@windriver.com>"
>  RECIPE_MAINTAINER:pn-systemd-machine-units = "Chen Qi <Qi.Chen@windriver.com>"
>  RECIPE_MAINTAINER:pn-systemd-serialgetty = "Chen Qi <Qi.Chen@windriver.com>"
>  RECIPE_MAINTAINER:pn-systemd-systemctl-native = "Chen Qi <Qi.Chen@windriver.com>"
> +RECIPE_MAINTAINER:pn-systemd-tools-native = "Chen Qi <Qi.Chen@windriver.com>"
>  RECIPE_MAINTAINER:pn-systemtap = "Victor Kamensky <victor.kamensky7@gmail.com>"
>  RECIPE_MAINTAINER:pn-systemtap-native = "Victor Kamensky <victor.kamensky7@gmail.com>"
>  RECIPE_MAINTAINER:pn-sysvinit = "Ross Burton <ross.burton@arm.com>"
>
> Cheers,
>
> -Mikko
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#204069): https://lists.openembedded.org/g/openembedded-core/message/204069
> Mute This Topic: https://lists.openembedded.org/mt/108223984/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core] [PATCH 1/3] systemd-tools: add recipe

[Mikko Rapeli]

Hi,

On Mon, Sep 02, 2024 at 12:17:53PM +0200, Alexander Kanavin wrote:
> Wait. Isn't this ukify.py thingy already provided from
> systemd-boot-native recipe?

Oh, it is. I've somehow missed this. Will switch over to it.

Cheers,

-Mikko

Re: [OE-core] [PATCH 1/3] systemd-tools: add recipe

[Erik Schilling]

On Mon Sep 2, 2024 at 12:17 PM CEST, Alexander Kanavin wrote:
> Wait. Isn't this ukify.py thingy already provided from
> systemd-boot-native recipe?

Yes. It was added while I did this change as part of a PoC ~a year ago.

I am not a huge fan of it having landed in systemd-boot-native. I
think there are further tools that would be interesting to have in a
systemd-native-style recipe (for example systemd-repart [1]). But as of
now, I agree that this recipe is probably not required!

- Erik

[1] https://lore.kernel.org/all/20240426-systemd-repart-v1-1-a6a710a14a8c@linaro.org/

>
> Alex
>
> On Mon, 2 Sept 2024 at 12:06, Mikko Rapeli via lists.openembedded.org
> <mikko.rapeli=linaro.org@lists.openembedded.org> wrote:
> >
> > Hi,
> >
> > On Mon, Sep 02, 2024 at 10:59:22AM +0100, Richard Purdie wrote:
> > > This will fail in CI as there is now maintainers file entry...
> >
> > Chen, since you are systemd maintainer, would you mind if I add
> > systemd-tools for you too? It's only the ukify python script
> > currently for native use cases at build time.
> >
> > --- a/meta/conf/distro/include/maintainers.inc
> > +++ b/meta/conf/distro/include/maintainers.inc
> > @@ -795,6 +795,7 @@ RECIPE_MAINTAINER:pn-systemd-compat-units = "Chen Qi <Qi.Chen@windriver.com>"
> >  RECIPE_MAINTAINER:pn-systemd-machine-units = "Chen Qi <Qi.Chen@windriver.com>"
> >  RECIPE_MAINTAINER:pn-systemd-serialgetty = "Chen Qi <Qi.Chen@windriver.com>"
> >  RECIPE_MAINTAINER:pn-systemd-systemctl-native = "Chen Qi <Qi.Chen@windriver.com>"
> > +RECIPE_MAINTAINER:pn-systemd-tools-native = "Chen Qi <Qi.Chen@windriver.com>"
> >  RECIPE_MAINTAINER:pn-systemtap = "Victor Kamensky <victor.kamensky7@gmail.com>"
> >  RECIPE_MAINTAINER:pn-systemtap-native = "Victor Kamensky <victor.kamensky7@gmail.com>"
> >  RECIPE_MAINTAINER:pn-sysvinit = "Ross Burton <ross.burton@arm.com>"
> >
> > Cheers,
> >
> > -Mikko
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#204069): https://lists.openembedded.org/g/openembedded-core/message/204069
> > Mute This Topic: https://lists.openembedded.org/mt/108223984/1686489
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >

[PATCH 2/3] bitbake.conf: add getopt to HOSTTOOLS

[Mikko Rapeli]

Needed by systemd-tools-native

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta/conf/bitbake.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index d8252c5b82..a8c630e7f8 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -511,7 +511,7 @@ HOSTTOOLS_DIR = "${TMPDIR}/hosttools"
 HOSTTOOLS += " \
     [ ar as awk basename bash bunzip2 bzip2 cat chgrp chmod chown chrpath cmp comm cp cpio \
     cpp cut date dd diff diffstat dirname du echo egrep env expand expr false \
-    fgrep file find flock g++ gawk gcc getconf getopt git grep gunzip gzip \
+    fgrep file find flock g++ gawk getent gcc getconf getopt git grep gunzip gzip \
     head hostname iconv id install ld ldd ln ls lz4c make md5sum mkdir mkfifo mknod \
     mktemp mv nm objcopy objdump od patch perl pr printf pwd \
     python3 pzstd ranlib readelf readlink realpath rm rmdir rpcgen sed seq sh \
-- 
2.34.1

RE: [OE-core] [PATCH 2/3] bitbake.conf: add getopt to HOSTTOOLS

[Peter Kjellerstedt]

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Mikko Rapeli
> Sent: den 2 september 2024 11:41
> To: openembedded-core@lists.openembedded.org
> Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
> Subject: [OE-core] [PATCH 2/3] bitbake.conf: add getopt to HOSTTOOLS

You are adding getent, not getopt.

> 
> Needed by systemd-tools-native
> 
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> ---
>  meta/conf/bitbake.conf | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
> index d8252c5b82..a8c630e7f8 100644
> --- a/meta/conf/bitbake.conf
> +++ b/meta/conf/bitbake.conf
> @@ -511,7 +511,7 @@ HOSTTOOLS_DIR = "${TMPDIR}/hosttools"
>  HOSTTOOLS += " \
>      [ ar as awk basename bash bunzip2 bzip2 cat chgrp chmod chown chrpath cmp comm cp cpio \
>      cpp cut date dd diff diffstat dirname du echo egrep env expand expr false \
> -    fgrep file find flock g++ gawk gcc getconf getopt git grep gunzip gzip \
> +    fgrep file find flock g++ gawk getent gcc getconf getopt git grep gunzip gzip \

Keep the commands sorted.

>      head hostname iconv id install ld ldd ln ls lz4c make md5sum mkdir mkfifo mknod \
>      mktemp mv nm objcopy objdump od patch perl pr printf pwd \
>      python3 pzstd ranlib readelf readlink realpath rm rmdir rpcgen sed seq sh \
> --
> 2.34.1

//Peter

Re: [OE-core] [PATCH 2/3] bitbake.conf: add getopt to HOSTTOOLS

[Alexander Kanavin]

Also, can't this be supplied with DEPENDS? Adding to HOSTTOOLS to
cater to needs of a single recipe is not a good thing.

Alex

On Mon, 2 Sept 2024 at 12:10, Peter Kjellerstedt via
lists.openembedded.org
<peter.kjellerstedt=axis.com@lists.openembedded.org> wrote:
>
> > -----Original Message-----
> > From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Mikko Rapeli
> > Sent: den 2 september 2024 11:41
> > To: openembedded-core@lists.openembedded.org
> > Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
> > Subject: [OE-core] [PATCH 2/3] bitbake.conf: add getopt to HOSTTOOLS
>
> You are adding getent, not getopt.
>
> >
> > Needed by systemd-tools-native
> >
> > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > ---
> >  meta/conf/bitbake.conf | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
> > index d8252c5b82..a8c630e7f8 100644
> > --- a/meta/conf/bitbake.conf
> > +++ b/meta/conf/bitbake.conf
> > @@ -511,7 +511,7 @@ HOSTTOOLS_DIR = "${TMPDIR}/hosttools"
> >  HOSTTOOLS += " \
> >      [ ar as awk basename bash bunzip2 bzip2 cat chgrp chmod chown chrpath cmp comm cp cpio \
> >      cpp cut date dd diff diffstat dirname du echo egrep env expand expr false \
> > -    fgrep file find flock g++ gawk gcc getconf getopt git grep gunzip gzip \
> > +    fgrep file find flock g++ gawk getent gcc getconf getopt git grep gunzip gzip \
>
> Keep the commands sorted.
>
> >      head hostname iconv id install ld ldd ln ls lz4c make md5sum mkdir mkfifo mknod \
> >      mktemp mv nm objcopy objdump od patch perl pr printf pwd \
> >      python3 pzstd ranlib readelf readlink realpath rm rmdir rpcgen sed seq sh \
> > --
> > 2.34.1
>
> //Peter
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#204070): https://lists.openembedded.org/g/openembedded-core/message/204070
> Mute This Topic: https://lists.openembedded.org/mt/108223986/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core] [PATCH 2/3] bitbake.conf: add getopt to HOSTTOOLS

[Mikko Rapeli]

Hi,

On Mon, Sep 02, 2024 at 12:15:02PM +0200, Alexander Kanavin wrote:
> Also, can't this be supplied with DEPENDS? Adding to HOSTTOOLS to
> cater to needs of a single recipe is not a good thing.

On Debian/Ubuntu getent is part of libc-bin package which is marked
essential so installed basically everywhere by default. The systemd
side meson build script was failing without it. I can try to check
if there some config etc way to disable the dependency.

Or if this causes problems then I can move this to "usage instructions"
of ukify.bbclass.

Cheers,

-Mikko

Re: [OE-core] [PATCH 2/3] bitbake.conf: add getopt to HOSTTOOLS

[Alexander Kanavin]

On Mon, 2 Sept 2024 at 12:27, Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
> On Debian/Ubuntu getent is part of libc-bin package which is marked
> essential so installed basically everywhere by default. The systemd
> side meson build script was failing without it. I can try to check
> if there some config etc way to disable the dependency.
>
> Or if this causes problems then I can move this to "usage instructions"
> of ukify.bbclass.

getent is obtaining host-specific information and before we even allow
it, it would be good to know how and why it's used in the build. Would
it result in host contamination?

I'm also curious to know why we even need to run the build process, if
do_install only copies a script out of ${S}? I guess all these points
should be addressed when you switch over to existing recipe (which
indeed is only a trivial script copy).

Alex

Re: [OE-core] [PATCH 2/3] bitbake.conf: add getopt to HOSTTOOLS

[Mikko Rapeli]

Hi,

On Mon, Sep 02, 2024 at 01:27:05PM +0300, Mikko Rapeli via lists.openembedded.org wrote:
> Hi,
> 
> On Mon, Sep 02, 2024 at 12:15:02PM +0200, Alexander Kanavin wrote:
> > Also, can't this be supplied with DEPENDS? Adding to HOSTTOOLS to
> > cater to needs of a single recipe is not a good thing.
> 
> On Debian/Ubuntu getent is part of libc-bin package which is marked
> essential so installed basically everywhere by default. The systemd
> side meson build script was failing without it. I can try to check
> if there some config etc way to disable the dependency.
> 
> Or if this causes problems then I can move this to "usage instructions"
> of ukify.bbclass.

Dropping systemd-tools-native change since systemd-boot-native already provides
the ukify script and doesn't call into meson so this patch is not needed
afterall.

Cheers,

-Mikko

Re: [OE-core] [PATCH 2/3] bitbake.conf: add getopt to HOSTTOOLS

[Mikko Rapeli]

Hi,

On Mon, Sep 02, 2024 at 10:09:54AM +0000, Peter Kjellerstedt wrote:
> > -----Original Message-----
> > From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Mikko Rapeli
> > Sent: den 2 september 2024 11:41
> > To: openembedded-core@lists.openembedded.org
> > Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
> > Subject: [OE-core] [PATCH 2/3] bitbake.conf: add getopt to HOSTTOOLS
> 
> You are adding getent, not getopt.

Thanks, can't even blame autocorrect...

Cheers,

-Mikko

> > Needed by systemd-tools-native
> > 
> > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > ---
> >  meta/conf/bitbake.conf | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
> > index d8252c5b82..a8c630e7f8 100644
> > --- a/meta/conf/bitbake.conf
> > +++ b/meta/conf/bitbake.conf
> > @@ -511,7 +511,7 @@ HOSTTOOLS_DIR = "${TMPDIR}/hosttools"
> >  HOSTTOOLS += " \
> >      [ ar as awk basename bash bunzip2 bzip2 cat chgrp chmod chown chrpath cmp comm cp cpio \
> >      cpp cut date dd diff diffstat dirname du echo egrep env expand expr false \
> > -    fgrep file find flock g++ gawk gcc getconf getopt git grep gunzip gzip \
> > +    fgrep file find flock g++ gawk getent gcc getconf getopt git grep gunzip gzip \
> 
> Keep the commands sorted.
> 
> >      head hostname iconv id install ld ldd ln ls lz4c make md5sum mkdir mkfifo mknod \
> >      mktemp mv nm objcopy objdump od patch perl pr printf pwd \
> >      python3 pzstd ranlib readelf readlink realpath rm rmdir rpcgen sed seq sh \
> > --
> > 2.34.1
> 
> //Peter
> 

[PATCH 3/3] uki.bbclass: add class for building Unified Kernel Images (UKI)

[Mikko Rapeli]

From: Michelle Lin <michelle.linto91@gmail.com>

This class calls systemd ukify tool, which will combine
kernel/initrd/stub components to build the UKI. To sign the UKI
(i.e. SecureBoot), the keys/cert files can be specified
in a configuration file or UEFI binary signing can be done
via separate steps, see qemuarm64-secureboot in meta-arm.
UKIs are loaded by UEFI firmware on target which can improve
security by loading only correctly signed kernel, initrd and kernel
command line.

Using systemd-measure to pre-calculate TPM PCR values and sign them is
not supported since that requires a TPM device on the build host. Thus
"ConditionSecurity=measured-uki" default from systemd 256 does not work
but "ConditionSecurity=tpm2" in combination with secure boot will.
These can be used to boot securely into systemd-boot, kernel, kernel
command line and initrd which then securely mounts a read-only dm-verity
/usr partition and creates a TPM encrypted read-write / rootfs.

Tested via qemuarm64-secureboot in meta-arm with
https://lists.yoctoproject.org/g/meta-arm/topic/patch_v3_02_13/108031399
and a few more changes needed, will be posted separately.

Signed-off-by: Michelle Lin <michelle.linto91@gmail.com>
Cc: Erik Schilling <erik.schilling@linaro.org>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 meta/classes-recipe/uki.bbclass | 158 ++++++++++++++++++++++++++++++++
 1 file changed, 158 insertions(+)
 create mode 100644 meta/classes-recipe/uki.bbclass

diff --git a/meta/classes-recipe/uki.bbclass b/meta/classes-recipe/uki.bbclass
new file mode 100644
index 0000000000..472eb476a0
--- /dev/null
+++ b/meta/classes-recipe/uki.bbclass
@@ -0,0 +1,158 @@
+# Unified kernel image (UKI) class
+#
+# This bbclass merges kernel, initrd etc as a UKI standard UEFI binary,
+# to be loaded with UEFI firmware on target. SecureBoot signing is
+# supported via add ons. TPM PCR pre-calculation is not supported since
+# systemd-measure tooling is meant to run on target, not in cross compile
+# environment.
+#
+# See:
+# https://www.freedesktop.org/software/systemd/man/latest/ukify.html
+# https://uapi-group.org/specifications/specs/unified_kernel_image/
+#
+# The UKI is composed from
+#   - an UEFI stub
+#     The linux kernel can generate a UEFI stub, however the one from systemd-boot can fetch
+#     the command line from a separate section of the EFI application, avoiding the need to
+#     rebuild the kernel.
+#   - the kernel
+#   - an initramfs
+#   - other metadata (e.g. PCR measurements)
+#
+# Usage instructions:
+#   - requires UEFI compatible firmware on target, e.g. qemuarm64-secureboot from meta-arm
+#   - Distro config:
+#     INIT_MANAGER = "systemd"
+#     DISTRO_FEATURES += "systemd"
+#     DISTRO_FEATURES_NATIVE += "systemd"
+#     DISTRO_FEATURES += "efi"
+#     DISTRO_FEATURES += "uki"
+#     INITRAMFS_IMAGE ?= "core-image-minimal-initramfs"
+#     HOSTTOOLS += "getent ping"
+#     EFI_PROVIDER = "systemd-boot"
+#   - image recipe:
+#     INHERIT_UKI = "${@bb.utils.contains('DISTRO_FEATURES', 'uki', 'uki', '', d)}"
+#     inherit ${INHERIT_UKI}
+#   - qemuboot/runqemu changes in image recipe:
+#     # Detected by passing kernel parameter
+#     QB_KERNEL_ROOT = ""
+#     # kernel is in the image, should not be loaded separately
+#     QB_DEFAULT_KERNEL = "none"
+#   - for UEFI secure boot, systemd-boot, uki and linux kernel need
+#     to be signed with sbsign (recipe available from meta-secure-core,
+#     see also qemuarm64-secureboot from meta-arm)
+
+DEPENDS += "\
+    systemd \
+    systemd-boot \
+    systemd-tools-native \
+    virtual/${TARGET_PREFIX}binutils \
+    virtual/kernel \
+"
+
+REQUIRED_DISTRO_FEATURES += "usrmerge systemd uki"
+
+inherit features_check image-artifact-names
+require ../conf/image-uefi.conf
+
+INITRAMFS_IMAGE ?= "core-image-minimal-initramfs"
+
+INITRD_ARCHIVE ?= "${INITRAMFS_IMAGE}-${MACHINE}.${INITRAMFS_FSTYPES}"
+
+do_image_complete[depends] += "${INITRAMFS_IMAGE}:do_image_complete"
+
+UKIFY_CMD ?= "ukify build"
+UKI_CONFIG_FILE ?= "${UNPACKDIR}/uki.conf"
+UKI_FILENAME ?= "uki.efi"
+UKI_CMDLINE ?= "rootwait root=/dev/vda2"
+
+IMAGE_EFI_BOOT_FILES ?= "${UKI_FILENAME};EFI/Linux/${UKI_FILENAME}"
+
+do_uki[depends] += " \
+                        systemd-boot:do_deploy \
+                        virtual/kernel:do_deploy \
+                     "
+do_uki[depends] += "${@ '${INITRAMFS_IMAGE}:do_image_complete' if d.getVar('INITRAMFS_IMAGE') else ''}"
+
+# ensure that the build directory is empty everytime we generate a newly-created uki
+do_uki[cleandirs] = "${B}"
+# influence the build directory at the start of the builds
+do_uki[dirs] = "${B}"
+
+# we want to allow specifying files in SRC_URI, such as for signing the UKI
+python () {
+    d.delVarFlag("do_fetch","noexec")
+    d.delVarFlag("do_unpack","noexec")
+}
+
+# main task
+python do_uki() {
+    import glob
+    import bb.process
+
+    # Construct the ukify command
+    ukify_cmd = d.getVar('UKIFY_CMD')
+
+    deploy_dir_image = d.getVar('DEPLOY_DIR_IMAGE')
+
+    # initrd
+    initramfs_image = "%s" % (d.getVar('INITRD_ARCHIVE'))
+    ukify_cmd += " --initrd=%s" % os.path.join(deploy_dir_image, initramfs_image)
+
+    deploy_dir_image = d.getVar('DEPLOY_DIR_IMAGE')
+
+    # Kernel
+    if d.getVar('KERNEL_IMAGETYPE'):
+        kernel = "%s/%s" % (deploy_dir_image, d.getVar('KERNEL_IMAGETYPE'))
+        kernel_version = d.getVar('KERNEL_VERSION')
+        if not os.path.exists(kernel):
+            bb.fatal(f"ERROR: cannot find {kernel}.")
+
+        ukify_cmd += " --linux=%s --uname %s" % (kernel, kernel_version)
+    else:
+        bb.fatal("ERROR - Required argument: KERNEL")
+
+    # Command line
+    cmdline = d.getVar('UKI_CMDLINE')
+    if cmdline:
+        ukify_cmd += " --cmdline='%s'" % cmdline
+
+    # Architecture
+    target_arch = d.getVar('EFI_ARCH')
+    if target_arch:
+        ukify_cmd += " --efi-arch %s" % target_arch
+
+    # systemd stubs from deploy
+    stub = "%s/linux%s.efi.stub" % (d.getVar('DEPLOY_DIR_IMAGE'), target_arch)
+    if not os.path.exists(stub):
+        bb.fatal(f"ERROR: cannot find {stub}.")
+    ukify_cmd += " --stub %s" % stub
+
+    # Add option for dtb
+    if d.getVar('KERNEL_DEVICETREE'):
+        for dtb in d.getVar('KERNEL_DEVICETREE').split():
+            dtb_path = "%s/%s" % (deploy_dir_image, dtb)
+            if not os.path.exists(dtb_path):
+                bb.fatal(f"ERROR: cannot find {dtb_path}.")
+            ukify_cmd += " --devicetree %s" % dtb_path
+
+    # Add option to pass a config file the UKI
+    if os.path.exists(d.getVar('UKI_CONFIG_FILE')):
+        ukify_cmd += " --config=%s" % d.getVar('UKI_CONFIG_FILE')
+
+    # Tools
+    ukify_cmd += " --tools=%s%s/lib/systemd/tools" % (d.getVar("RECIPE_SYSROOT_NATIVE"), d.getVar("prefix"))
+
+    # TODO: tpm2 measure for secure boot, depends on systemd-native and TPM tooling
+    # needed in systemd > 254 to fulfill ConditionSecurity=measured-uki
+    # Requires TPM device on build host, thus not supported at build time.
+    #ukify_cmd += " --measure"
+
+    # Custom UKI name
+    output = " --output=%s/%s" % (d.getVar('DEPLOY_DIR_IMAGE'), d.getVar('UKI_FILENAME'))
+    ukify_cmd += " %s" % output
+
+    # Run the ukify command
+    bb.process.run(ukify_cmd, shell=True)
+}
+addtask uki after do_rootfs before do_deploy do_image_complete do_image_wic
-- 
2.34.1

Re: [PATCH 3/3] uki.bbclass: add class for building Unified Kernel Images (UKI)

[Erik Schilling]

On Mon Sep 2, 2024 at 11:41 AM CEST, Mikko Rapeli wrote:
> From: Michelle Lin <michelle.linto91@gmail.com>
>
> This class calls systemd ukify tool, which will combine
> kernel/initrd/stub components to build the UKI. To sign the UKI
> (i.e. SecureBoot), the keys/cert files can be specified
> in a configuration file or UEFI binary signing can be done
> via separate steps, see qemuarm64-secureboot in meta-arm.
> UKIs are loaded by UEFI firmware on target which can improve
> security by loading only correctly signed kernel, initrd and kernel
> command line.
>
> Using systemd-measure to pre-calculate TPM PCR values and sign them is
> not supported since that requires a TPM device on the build host. Thus
> "ConditionSecurity=measured-uki" default from systemd 256 does not work
> but "ConditionSecurity=tpm2" in combination with secure boot will.
> These can be used to boot securely into systemd-boot, kernel, kernel
> command line and initrd which then securely mounts a read-only dm-verity
> /usr partition and creates a TPM encrypted read-write / rootfs.
>
> Tested via qemuarm64-secureboot in meta-arm with
> https://lists.yoctoproject.org/g/meta-arm/topic/patch_v3_02_13/108031399
> and a few more changes needed, will be posted separately.
>
> Signed-off-by: Michelle Lin <michelle.linto91@gmail.com>
> Cc: Erik Schilling <erik.schilling@linaro.org>
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>

> ---
>  meta/classes-recipe/uki.bbclass | 158 ++++++++++++++++++++++++++++++++
>  1 file changed, 158 insertions(+)
>  create mode 100644 meta/classes-recipe/uki.bbclass

Acked-by: Erik Schilling <erik.schilling@linaro.org>