Re: [OE-core] [PATCH 2/2] uki.bbclass: add class for building Unified Kernel Images (UKI)

[Mikko Rapeli <mikko.rapeli@linaro.org>]

Hi,

On Mon, Sep 02, 2024 at 02:01:31PM +0200, Alexander Kanavin wrote:
> On Mon 2. Sep 2024 at 13.23, Mikko Rapeli <mikko.rapeli@linaro.org> wrote:
> 
> > Hi,
> >
> > On Mon, Sep 02, 2024 at 01:11:27PM +0200, Alexander Kanavin wrote:
> > > Should this also have a wic based selftest or some other way to ensure it
> > > works?
> >
> > Yes, but that depends on the UEFI / Arm System Ready compatible firmware.
> >
> > For qemu, this can be setup using meta-arm and qemuarm64-secureboot machine
> > config. The patches for UEFI secure boot are currently in review and if
> > approved
> > I will switch those to boot uki binaries, patches are ready but not
> > submitted
> > yet.
> >
> > I don't know if poky alone can provide UEFI firmware to boot with.
> 
> 
> 
> Doesn’t ovmf recipe provide exactly that? Can you check (grep poky) if
> there are existing tests that involve ovmf (I believe there are but can’t
> check from a smartphone)?

I've checked and I have not found matching examples. We have everything working
for UEFI secure boot for multiple ARM64 boards and qemu, including oeqa runtime tests.
Currently the qemu side changes to support UEFI secure boot are queued to meta-arm[1].
They could in theory be proposed to poky as well but there is no
matching machine config for that. meta-arm provides u-boot and many other
firmware SW components, including fTPM. ovmf seems to be only for x86,
same for the meta-secure-core side examples for UEFI secure boot.

systemd uki support is really generic and not at all specific to arm
architectures. That's why I think it belongs to poky. Yes, the tests
need to be somewhere else currently unless test target HW already
has UEFI compatible firmware, but even with that the deployment of
signing keys/certs needs to be done separately.

[1] https://lists.yoctoproject.org/g/meta-arm/topic/patch_v4_00_13/108164747

Cheers,

-Mikko