mirror of
https://git.yoctoproject.org/meta-arm
synced 2026-07-17 16:17:09 +00:00
Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| ca9375b72d | |||
| 691d479ce4 | |||
| 67a28fc298 |
@@ -265,6 +265,10 @@ qemuarm64-secureboot:
|
||||
TCLIBC: [glibc, musl]
|
||||
TS: [none, qemuarm64-secureboot-ts]
|
||||
TESTING: testimage
|
||||
- TOOLCHAINS: [gcc, clang]
|
||||
TS: [none, qemuarm64-secureboot-ts]
|
||||
UEFISB: [none, uefi-secureboot]
|
||||
TESTING: testimage
|
||||
- KERNEL: linux-yocto-dev
|
||||
TESTING: testimage
|
||||
|
||||
|
||||
@@ -0,0 +1,37 @@
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
|
||||
|
||||
# UEFI Secure Boot: A mechanism to ensure that only trusted software is executed
|
||||
# during the boot process.
|
||||
|
||||
header:
|
||||
version: 14
|
||||
includes:
|
||||
- ci/meta-openembedded.yml
|
||||
- ci/meta-secure-core.yml
|
||||
|
||||
local_conf_header:
|
||||
uefi_secureboot: |
|
||||
SBSIGN_KEYS_DIR = "${TOPDIR}/sbkeys"
|
||||
BB_ENV_PASSTHROUGH_ADDITIONS = "SBSIGN_KEYS_DIR"
|
||||
|
||||
# Detected by passing kernel parameter
|
||||
QB_KERNEL_ROOT = ""
|
||||
|
||||
# kernel is in the image, should not be loaded separately
|
||||
QB_DEFAULT_KERNEL = "none"
|
||||
|
||||
WKS_FILE = "efi-disk.wks.in"
|
||||
KERNEL_IMAGETYPE = "Image"
|
||||
|
||||
MACHINE_FEATURES:append = " efi uefi-secureboot"
|
||||
|
||||
EFI_PROVIDER = "systemd-boot"
|
||||
|
||||
# Use systemd as the init system
|
||||
INIT_MANAGER = "systemd"
|
||||
DISTRO_FEATURES:append = " systemd"
|
||||
DISTRO_FEATURES_NATIVE:append = " systemd"
|
||||
|
||||
IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils"
|
||||
|
||||
TEST_SUITES:append = " uefi_secureboot"
|
||||
@@ -0,0 +1,31 @@
|
||||
# Sign binaries for UEFI Secure Boot
|
||||
#
|
||||
# Usage in recipes:
|
||||
#
|
||||
# Set binary to sign per recipe:
|
||||
# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign"
|
||||
#
|
||||
# Then call do_sbsign() in correct stage of the build
|
||||
# do_compile:append() {
|
||||
# do_sbsign
|
||||
# }
|
||||
|
||||
DEPENDS += 'gen-sbkeys'
|
||||
DEPENDS += "sbsigntool-native"
|
||||
|
||||
SBSIGN_KEY = "${SBSIGN_KEYS_DIR}/db.key"
|
||||
SBSIGN_CERT = "${SBSIGN_KEYS_DIR}/db.crt"
|
||||
SBSIGN_TARGET_BINARY ?= "binary_to_sign"
|
||||
|
||||
# Not adding as task since recipes may need to sign binaries at different
|
||||
# stages. Instead they can call this function when needed by calling this function
|
||||
do_sbsign() {
|
||||
bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}"
|
||||
${STAGING_BINDIR_NATIVE}/sbsign \
|
||||
--key "${SBSIGN_KEY}" \
|
||||
--cert "${SBSIGN_CERT}" \
|
||||
--output "${SBSIGN_TARGET_BINARY}.signed" \
|
||||
"${SBSIGN_TARGET_BINARY}"
|
||||
cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned"
|
||||
cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}"
|
||||
}
|
||||
@@ -0,0 +1,29 @@
|
||||
#
|
||||
# SPDX-License-Identifier: MIT
|
||||
#
|
||||
|
||||
from oeqa.runtime.case import OERuntimeTestCase
|
||||
from oeqa.core.decorator.oetimeout import OETimeout
|
||||
|
||||
|
||||
class UEFI_SB_TestSuite(OERuntimeTestCase):
|
||||
"""
|
||||
Validate Secure Boot is Enabled
|
||||
"""
|
||||
|
||||
@OETimeout(1300)
|
||||
def test_uefi_secureboot(self):
|
||||
# Validate Secure Boot is enabled by checking
|
||||
# 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
|
||||
# The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
|
||||
# identifier for the Secure Boot UEFI variable. By checking the value of
|
||||
# this variable, specifically
|
||||
# '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
|
||||
# whether Secure Boot is enabled or not. This variable is set by the
|
||||
# UEFI firmware to indicate the current Secure Boot state. If the
|
||||
# variable is set to a value of '0x1' (or '1'), it indicates that Secure
|
||||
# Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
|
||||
# it indicates that Secure Boot is disabled.
|
||||
cmd = "echo $( od -t u2 -A n -j 4 -N 4 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c )"
|
||||
status, output = self.target.run(cmd, timeout=120)
|
||||
self.assertEqual(output, "1", msg="\n".join([cmd, output]))
|
||||
@@ -0,0 +1,17 @@
|
||||
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
|
||||
|
||||
SRC_URI += "file://uefi-secureboot.cfg"
|
||||
|
||||
inherit sbsign
|
||||
|
||||
DEPENDS += 'python3-pyopenssl-native'
|
||||
|
||||
do_compile:prepend() {
|
||||
export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
|
||||
|
||||
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk -d "${SBSIGN_KEYS_DIR}"/PK.esl -t file
|
||||
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${SBSIGN_KEYS_DIR}"/KEK.esl -t file
|
||||
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db -d "${SBSIGN_KEYS_DIR}"/db.esl -t file
|
||||
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${SBSIGN_KEYS_DIR}"/dbx.esl -t file
|
||||
"${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
CONFIG_CMD_BOOTMENU=y
|
||||
CONFIG_USE_BOOTCOMMAND=y
|
||||
CONFIG_BOOTCOMMAND="bootmenu"
|
||||
CONFIG_USE_PREBOOT=y
|
||||
CONFIG_EFI_VAR_BUF_SIZE=65536
|
||||
CONFIG_FIT_SIGNATURE=y
|
||||
CONFIG_EFI_SECURE_BOOT=y
|
||||
CONFIG_EFI_VARIABLES_PRESEED=y
|
||||
CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
|
||||
CONFIG_PREBOOT_DEFINED=y
|
||||
@@ -2,3 +2,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
|
||||
|
||||
SRC_URI:append:qemuarm64-secureboot = " file://qemuarm64.cfg"
|
||||
SRC_URI:append:qemuarm-secureboot = " file://qemuarm.cfg"
|
||||
|
||||
require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-uefi-secureboot.inc', '', d)}
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
inherit sbsign
|
||||
|
||||
SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi"
|
||||
|
||||
do_compile:append() {
|
||||
do_sbsign
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)}
|
||||
@@ -0,0 +1 @@
|
||||
PACKAGECONFIG:append = " efi"
|
||||
@@ -0,0 +1 @@
|
||||
require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)}
|
||||
@@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \
|
||||
|
||||
FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
|
||||
require ${FFA_TRANSPORT_INCLUDE}
|
||||
|
||||
require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
KERNEL_FEATURES += "cfg/efi-ext.scc"
|
||||
|
||||
inherit sbsign
|
||||
|
||||
# shell variable set inside do_compile task
|
||||
SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE"
|
||||
|
||||
do_compile:append() {
|
||||
KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit)
|
||||
do_sbsign
|
||||
}
|
||||
|
||||
RRECOMMENDS:${PN} += "kernel-module-efivarfs"
|
||||
RRECOMMENDS:${PN} += "kernel-module-efivars"
|
||||
Reference in New Issue
Block a user