arm/qemuarm64-secureboot: Enable UEFI Secure Boot

Encapsulate all UEFI Secure Boot required settings in one Kas configuration file. Introduce SBSIGN_KEYS_DIR variable where UEFI keys will be generated to sign UEFI binaries. Introduce uefi-secureboot machine feature, which is being used to conditionally set the proper UEFI settings in recipes. Replace Grub bootloader with systemd-boot, which it makes easier to enable Secure Boot. Advantages using systemd as Init Manager: - Extending secure boot to userspace is a lot easier with systemd than with sysvinit where custom scripts will need to be written for all use cases. - systemd supports dm-verity and TPM devices for encryption usecases out of the box. Enabling them is a lot easier than writing custom scripts for sysvinit. - systemd also supports EUFI signing the UKI binaries which merge kernel, command line and initrd which helps in bringing secure boot towards rootfs. - systemd offers a modular structure with unit files that are more predictable and easier to manage than the complex and varied scripts used by SysVinit. This modularity allows for better control and customization of the boot process, which is beneficial in Secure Boot environments. - Add CI settings to build and test UEFI Secure Boot. Add one test to verify Secure Boot using OE Testing infraestructure: $ kas build ci/qemuarm64-secureboot.yml:ci/meta-secure-core.yml:ci/uefi-secureboot.yml:ci/testimage.yml ... RESULTS - uefi_secureboot.UEFI_SB_TestSuite.test_uefi_secureboot: PASSED (0.62s) ... SUMMARY: core-image-base () - Ran 73 tests in 28.281s core-image-base - OK - All required tests passed (successes=19, skipped=54, failures=0, errors=0) Signed-off-by: Javier Tia <javier.tia@linaro.org> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> [yml file include fix] Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-01-11 15:00:39 +00:00 · 2024-10-03 15:33:30 -06:00
parent fc08510f22
commit 847fd39b25
3 changed files with 67 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -264,6 +264,7 @@ qemuarm64-secureboot:
        TOOLCHAINS: [gcc, clang]
        TCLIBC: [glibc, musl]
        TS: [none, qemuarm64-secureboot-ts]
+        UEFISB: [none, uefi-secureboot]
        TESTING: testimage
      - KERNEL: linux-yocto-dev
        TESTING: testimage
--- a/ci/uefi-secureboot.yml
+++ b/ci/uefi-secureboot.yml
@@ -0,0 +1,37 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
+
+# UEFI Secure Boot: A mechanism to ensure that only trusted software is executed
+# during the boot process.
+
+header:
+  version: 14
+  includes:
+    - ci/meta-openembedded.yml
+    - ci/meta-secure-core.yml
+
+local_conf_header:
+  uefi_secureboot: |
+    SBSIGN_KEYS_DIR = "${TOPDIR}/sbkeys"
+    BB_ENV_PASSTHROUGH_ADDITIONS = "SBSIGN_KEYS_DIR"
+
+    # Detected by passing kernel parameter
+    QB_KERNEL_ROOT = ""
+
+    # kernel is in the image, should not be loaded separately
+    QB_DEFAULT_KERNEL = "none"
+
+    WKS_FILE = "efi-disk.wks.in"
+    KERNEL_IMAGETYPE = "Image"
+
+    MACHINE_FEATURES:append = " efi uefi-secureboot"
+
+    EFI_PROVIDER = "systemd-boot"
+
+    # Use systemd as the init system
+    INIT_MANAGER = "systemd"
+    DISTRO_FEATURES:append = " systemd"
+    DISTRO_FEATURES_NATIVE:append = " systemd"
+
+    IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils"
+
+    TEST_SUITES:append = " uefi_secureboot"
--- a/meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py
+++ b/meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py
@@ -0,0 +1,29 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.oetimeout import OETimeout
+
+
+class UEFI_SB_TestSuite(OERuntimeTestCase):
+    """
+    Validate Secure Boot is Enabled
+    """
+
+    @OETimeout(1300)
+    def test_uefi_secureboot(self):
+        # Validate Secure Boot is enabled by checking
+        # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
+        # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
+        # identifier for the Secure Boot UEFI variable. By checking the value of
+        # this variable, specifically
+        # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
+        # whether Secure Boot is enabled or not. This variable is set by the
+        # UEFI firmware to indicate the current Secure Boot state. If the
+        # variable is set to a value of '0x1' (or '1'), it indicates that Secure
+        # Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
+        # it indicates that Secure Boot is disabled.
+        cmd = "echo $( od -t u2  -A n -j 4 -N 4 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c )"
+        status, output = self.target.run(cmd, timeout=120)
+        self.assertEqual(output, "1", msg="\n".join([cmd, output]))