mirror of
https://git.yoctoproject.org/meta-arm
synced 2026-07-19 04:47:08 +00:00
Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| ca9375b72d | |||
| 691d479ce4 | |||
| 67a28fc298 |
@@ -265,6 +265,10 @@ qemuarm64-secureboot:
|
|||||||
TCLIBC: [glibc, musl]
|
TCLIBC: [glibc, musl]
|
||||||
TS: [none, qemuarm64-secureboot-ts]
|
TS: [none, qemuarm64-secureboot-ts]
|
||||||
TESTING: testimage
|
TESTING: testimage
|
||||||
|
- TOOLCHAINS: [gcc, clang]
|
||||||
|
TS: [none, qemuarm64-secureboot-ts]
|
||||||
|
UEFISB: [none, uefi-secureboot]
|
||||||
|
TESTING: testimage
|
||||||
- KERNEL: linux-yocto-dev
|
- KERNEL: linux-yocto-dev
|
||||||
TESTING: testimage
|
TESTING: testimage
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,37 @@
|
|||||||
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
|
||||||
|
|
||||||
|
# UEFI Secure Boot: A mechanism to ensure that only trusted software is executed
|
||||||
|
# during the boot process.
|
||||||
|
|
||||||
|
header:
|
||||||
|
version: 14
|
||||||
|
includes:
|
||||||
|
- ci/meta-openembedded.yml
|
||||||
|
- ci/meta-secure-core.yml
|
||||||
|
|
||||||
|
local_conf_header:
|
||||||
|
uefi_secureboot: |
|
||||||
|
SBSIGN_KEYS_DIR = "${TOPDIR}/sbkeys"
|
||||||
|
BB_ENV_PASSTHROUGH_ADDITIONS = "SBSIGN_KEYS_DIR"
|
||||||
|
|
||||||
|
# Detected by passing kernel parameter
|
||||||
|
QB_KERNEL_ROOT = ""
|
||||||
|
|
||||||
|
# kernel is in the image, should not be loaded separately
|
||||||
|
QB_DEFAULT_KERNEL = "none"
|
||||||
|
|
||||||
|
WKS_FILE = "efi-disk.wks.in"
|
||||||
|
KERNEL_IMAGETYPE = "Image"
|
||||||
|
|
||||||
|
MACHINE_FEATURES:append = " efi uefi-secureboot"
|
||||||
|
|
||||||
|
EFI_PROVIDER = "systemd-boot"
|
||||||
|
|
||||||
|
# Use systemd as the init system
|
||||||
|
INIT_MANAGER = "systemd"
|
||||||
|
DISTRO_FEATURES:append = " systemd"
|
||||||
|
DISTRO_FEATURES_NATIVE:append = " systemd"
|
||||||
|
|
||||||
|
IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils"
|
||||||
|
|
||||||
|
TEST_SUITES:append = " uefi_secureboot"
|
||||||
@@ -0,0 +1,31 @@
|
|||||||
|
# Sign binaries for UEFI Secure Boot
|
||||||
|
#
|
||||||
|
# Usage in recipes:
|
||||||
|
#
|
||||||
|
# Set binary to sign per recipe:
|
||||||
|
# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign"
|
||||||
|
#
|
||||||
|
# Then call do_sbsign() in correct stage of the build
|
||||||
|
# do_compile:append() {
|
||||||
|
# do_sbsign
|
||||||
|
# }
|
||||||
|
|
||||||
|
DEPENDS += 'gen-sbkeys'
|
||||||
|
DEPENDS += "sbsigntool-native"
|
||||||
|
|
||||||
|
SBSIGN_KEY = "${SBSIGN_KEYS_DIR}/db.key"
|
||||||
|
SBSIGN_CERT = "${SBSIGN_KEYS_DIR}/db.crt"
|
||||||
|
SBSIGN_TARGET_BINARY ?= "binary_to_sign"
|
||||||
|
|
||||||
|
# Not adding as task since recipes may need to sign binaries at different
|
||||||
|
# stages. Instead they can call this function when needed by calling this function
|
||||||
|
do_sbsign() {
|
||||||
|
bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}"
|
||||||
|
${STAGING_BINDIR_NATIVE}/sbsign \
|
||||||
|
--key "${SBSIGN_KEY}" \
|
||||||
|
--cert "${SBSIGN_CERT}" \
|
||||||
|
--output "${SBSIGN_TARGET_BINARY}.signed" \
|
||||||
|
"${SBSIGN_TARGET_BINARY}"
|
||||||
|
cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned"
|
||||||
|
cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}"
|
||||||
|
}
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
#
|
||||||
|
# SPDX-License-Identifier: MIT
|
||||||
|
#
|
||||||
|
|
||||||
|
from oeqa.runtime.case import OERuntimeTestCase
|
||||||
|
from oeqa.core.decorator.oetimeout import OETimeout
|
||||||
|
|
||||||
|
|
||||||
|
class UEFI_SB_TestSuite(OERuntimeTestCase):
|
||||||
|
"""
|
||||||
|
Validate Secure Boot is Enabled
|
||||||
|
"""
|
||||||
|
|
||||||
|
@OETimeout(1300)
|
||||||
|
def test_uefi_secureboot(self):
|
||||||
|
# Validate Secure Boot is enabled by checking
|
||||||
|
# 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
|
||||||
|
# The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
|
||||||
|
# identifier for the Secure Boot UEFI variable. By checking the value of
|
||||||
|
# this variable, specifically
|
||||||
|
# '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
|
||||||
|
# whether Secure Boot is enabled or not. This variable is set by the
|
||||||
|
# UEFI firmware to indicate the current Secure Boot state. If the
|
||||||
|
# variable is set to a value of '0x1' (or '1'), it indicates that Secure
|
||||||
|
# Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
|
||||||
|
# it indicates that Secure Boot is disabled.
|
||||||
|
cmd = "echo $( od -t u2 -A n -j 4 -N 4 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c )"
|
||||||
|
status, output = self.target.run(cmd, timeout=120)
|
||||||
|
self.assertEqual(output, "1", msg="\n".join([cmd, output]))
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
|
||||||
|
|
||||||
|
SRC_URI += "file://uefi-secureboot.cfg"
|
||||||
|
|
||||||
|
inherit sbsign
|
||||||
|
|
||||||
|
DEPENDS += 'python3-pyopenssl-native'
|
||||||
|
|
||||||
|
do_compile:prepend() {
|
||||||
|
export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
|
||||||
|
|
||||||
|
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk -d "${SBSIGN_KEYS_DIR}"/PK.esl -t file
|
||||||
|
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${SBSIGN_KEYS_DIR}"/KEK.esl -t file
|
||||||
|
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db -d "${SBSIGN_KEYS_DIR}"/db.esl -t file
|
||||||
|
"${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${SBSIGN_KEYS_DIR}"/dbx.esl -t file
|
||||||
|
"${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
|
||||||
|
}
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
CONFIG_CMD_BOOTMENU=y
|
||||||
|
CONFIG_USE_BOOTCOMMAND=y
|
||||||
|
CONFIG_BOOTCOMMAND="bootmenu"
|
||||||
|
CONFIG_USE_PREBOOT=y
|
||||||
|
CONFIG_EFI_VAR_BUF_SIZE=65536
|
||||||
|
CONFIG_FIT_SIGNATURE=y
|
||||||
|
CONFIG_EFI_SECURE_BOOT=y
|
||||||
|
CONFIG_EFI_VARIABLES_PRESEED=y
|
||||||
|
CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
|
||||||
|
CONFIG_PREBOOT_DEFINED=y
|
||||||
@@ -2,3 +2,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
|
|||||||
|
|
||||||
SRC_URI:append:qemuarm64-secureboot = " file://qemuarm64.cfg"
|
SRC_URI:append:qemuarm64-secureboot = " file://qemuarm64.cfg"
|
||||||
SRC_URI:append:qemuarm-secureboot = " file://qemuarm.cfg"
|
SRC_URI:append:qemuarm-secureboot = " file://qemuarm.cfg"
|
||||||
|
|
||||||
|
require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-uefi-secureboot.inc', '', d)}
|
||||||
|
|||||||
@@ -0,0 +1,7 @@
|
|||||||
|
inherit sbsign
|
||||||
|
|
||||||
|
SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi"
|
||||||
|
|
||||||
|
do_compile:append() {
|
||||||
|
do_sbsign
|
||||||
|
}
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)}
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
PACKAGECONFIG:append = " efi"
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)}
|
||||||
@@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \
|
|||||||
|
|
||||||
FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
|
FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
|
||||||
require ${FFA_TRANSPORT_INCLUDE}
|
require ${FFA_TRANSPORT_INCLUDE}
|
||||||
|
|
||||||
|
require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
|
||||||
|
|||||||
@@ -0,0 +1,14 @@
|
|||||||
|
KERNEL_FEATURES += "cfg/efi-ext.scc"
|
||||||
|
|
||||||
|
inherit sbsign
|
||||||
|
|
||||||
|
# shell variable set inside do_compile task
|
||||||
|
SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE"
|
||||||
|
|
||||||
|
do_compile:append() {
|
||||||
|
KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit)
|
||||||
|
do_sbsign
|
||||||
|
}
|
||||||
|
|
||||||
|
RRECOMMENDS:${PN} += "kernel-module-efivarfs"
|
||||||
|
RRECOMMENDS:${PN} += "kernel-module-efivars"
|
||||||
Reference in New Issue
Block a user