1
0
mirror of https://git.yoctoproject.org/meta-arm synced 2026-07-17 16:17:09 +00:00

Compare commits

...

3 Commits

Author SHA1 Message Date
Jon Mason ca9375b72d CI: Rework qemuarm64-secureboot matrix
qemuarm64-secureboot is using systemd for uefi-secureboot, which has
warnings with musl (and fails to compile with clang and musl).  So,
modify the matrix to keep the coverage of everything else but musl.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 10:17:58 -04:00
Javier Tia 691d479ce4 arm/qemuarm64-secureboot: Enable UEFI Secure Boot
Encapsulate all UEFI Secure Boot required settings in one Kas
configuration file.

Introduce SBSIGN_KEYS_DIR variable where UEFI keys will be generated
to sign UEFI binaries. 

Introduce uefi-secureboot machine feature, which is being used to
conditionally set the proper UEFI settings in recipes.

Replace Grub bootloader with systemd-boot, which it makes easier to
enable Secure Boot.

Advantages using systemd as Init Manager:

- Extending secure boot to userspace is a lot easier with systemd than
with sysvinit where custom scripts will need to be written for all use
cases.

- systemd supports dm-verity and TPM devices for encryption usecases out
of the box. Enabling them is a lot easier than writing custom scripts
for sysvinit.

- systemd also supports EUFI signing the UKI binaries which merge kernel,
command line and initrd which helps in bringing secure boot towards
rootfs.

- systemd offers a modular structure with unit files that are more
predictable and easier to manage than the complex and varied scripts
used by SysVinit. This modularity allows for better control and
customization of the boot process, which is beneficial in Secure Boot
environments.

- Add CI settings to build and test UEFI Secure Boot.

Add one test to verify Secure Boot using OE Testing infraestructure:

$ kas build ci/qemuarm64-secureboot.yml:ci/meta-secure-core.yml:ci/uefi-secureboot.yml:ci/testimage.yml
...
RESULTS - uefi_secureboot.UEFI_SB_TestSuite.test_uefi_secureboot: PASSED (0.62s)
...
SUMMARY:
core-image-base () - Ran 73 tests in 28.281s
core-image-base - OK - All required tests passed (successes=19, skipped=54, failures=0, errors=0)

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> [yml file include fix]
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 10:17:44 -04:00
Javier Tia 67a28fc298 arm: Enable Secure Boot in all required recipes
In the target, Secure Boot starts from the firmware (u-boot), adds the
signing keys, and verifies the bootloader (systemd-boot) and kernel
(Linux).

sbsign bbclass is used to sign the binaries. sbsign is the name of the
tool used to sign these binaries. Hence the name of this class to sbsign
and variables with SBSIGN prefix.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 10:17:44 -04:00
13 changed files with 156 additions and 0 deletions
+4
View File
@@ -265,6 +265,10 @@ qemuarm64-secureboot:
TCLIBC: [glibc, musl]
TS: [none, qemuarm64-secureboot-ts]
TESTING: testimage
- TOOLCHAINS: [gcc, clang]
TS: [none, qemuarm64-secureboot-ts]
UEFISB: [none, uefi-secureboot]
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
+37
View File
@@ -0,0 +1,37 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
# UEFI Secure Boot: A mechanism to ensure that only trusted software is executed
# during the boot process.
header:
version: 14
includes:
- ci/meta-openembedded.yml
- ci/meta-secure-core.yml
local_conf_header:
uefi_secureboot: |
SBSIGN_KEYS_DIR = "${TOPDIR}/sbkeys"
BB_ENV_PASSTHROUGH_ADDITIONS = "SBSIGN_KEYS_DIR"
# Detected by passing kernel parameter
QB_KERNEL_ROOT = ""
# kernel is in the image, should not be loaded separately
QB_DEFAULT_KERNEL = "none"
WKS_FILE = "efi-disk.wks.in"
KERNEL_IMAGETYPE = "Image"
MACHINE_FEATURES:append = " efi uefi-secureboot"
EFI_PROVIDER = "systemd-boot"
# Use systemd as the init system
INIT_MANAGER = "systemd"
DISTRO_FEATURES:append = " systemd"
DISTRO_FEATURES_NATIVE:append = " systemd"
IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils"
TEST_SUITES:append = " uefi_secureboot"
+31
View File
@@ -0,0 +1,31 @@
# Sign binaries for UEFI Secure Boot
#
# Usage in recipes:
#
# Set binary to sign per recipe:
# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign"
#
# Then call do_sbsign() in correct stage of the build
# do_compile:append() {
# do_sbsign
# }
DEPENDS += 'gen-sbkeys'
DEPENDS += "sbsigntool-native"
SBSIGN_KEY = "${SBSIGN_KEYS_DIR}/db.key"
SBSIGN_CERT = "${SBSIGN_KEYS_DIR}/db.crt"
SBSIGN_TARGET_BINARY ?= "binary_to_sign"
# Not adding as task since recipes may need to sign binaries at different
# stages. Instead they can call this function when needed by calling this function
do_sbsign() {
bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}"
${STAGING_BINDIR_NATIVE}/sbsign \
--key "${SBSIGN_KEY}" \
--cert "${SBSIGN_CERT}" \
--output "${SBSIGN_TARGET_BINARY}.signed" \
"${SBSIGN_TARGET_BINARY}"
cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned"
cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}"
}
@@ -0,0 +1,29 @@
#
# SPDX-License-Identifier: MIT
#
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.oetimeout import OETimeout
class UEFI_SB_TestSuite(OERuntimeTestCase):
"""
Validate Secure Boot is Enabled
"""
@OETimeout(1300)
def test_uefi_secureboot(self):
# Validate Secure Boot is enabled by checking
# 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
# The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
# identifier for the Secure Boot UEFI variable. By checking the value of
# this variable, specifically
# '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
# whether Secure Boot is enabled or not. This variable is set by the
# UEFI firmware to indicate the current Secure Boot state. If the
# variable is set to a value of '0x1' (or '1'), it indicates that Secure
# Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
# it indicates that Secure Boot is disabled.
cmd = "echo $( od -t u2 -A n -j 4 -N 4 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c )"
status, output = self.target.run(cmd, timeout=120)
self.assertEqual(output, "1", msg="\n".join([cmd, output]))
@@ -0,0 +1,17 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += "file://uefi-secureboot.cfg"
inherit sbsign
DEPENDS += 'python3-pyopenssl-native'
do_compile:prepend() {
export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk -d "${SBSIGN_KEYS_DIR}"/PK.esl -t file
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${SBSIGN_KEYS_DIR}"/KEK.esl -t file
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db -d "${SBSIGN_KEYS_DIR}"/db.esl -t file
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${SBSIGN_KEYS_DIR}"/dbx.esl -t file
"${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
}
@@ -0,0 +1,10 @@
CONFIG_CMD_BOOTMENU=y
CONFIG_USE_BOOTCOMMAND=y
CONFIG_BOOTCOMMAND="bootmenu"
CONFIG_USE_PREBOOT=y
CONFIG_EFI_VAR_BUF_SIZE=65536
CONFIG_FIT_SIGNATURE=y
CONFIG_EFI_SECURE_BOOT=y
CONFIG_EFI_VARIABLES_PRESEED=y
CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
CONFIG_PREBOOT_DEFINED=y
@@ -2,3 +2,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI:append:qemuarm64-secureboot = " file://qemuarm64.cfg"
SRC_URI:append:qemuarm-secureboot = " file://qemuarm.cfg"
require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-uefi-secureboot.inc', '', d)}
@@ -0,0 +1,7 @@
inherit sbsign
SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi"
do_compile:append() {
do_sbsign
}
@@ -0,0 +1 @@
require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)}
@@ -0,0 +1 @@
PACKAGECONFIG:append = " efi"
@@ -0,0 +1 @@
require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)}
@@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \
FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
require ${FFA_TRANSPORT_INCLUDE}
require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
@@ -0,0 +1,14 @@
KERNEL_FEATURES += "cfg/efi-ext.scc"
inherit sbsign
# shell variable set inside do_compile task
SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE"
do_compile:append() {
KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit)
do_sbsign
}
RRECOMMENDS:${PN} += "kernel-module-efivarfs"
RRECOMMENDS:${PN} += "kernel-module-efivars"