mirror of
https://git.yoctoproject.org/meta-arm
synced 2026-01-12 03:10:15 +00:00
691d479ce4
Encapsulate all UEFI Secure Boot required settings in one Kas configuration file. Introduce SBSIGN_KEYS_DIR variable where UEFI keys will be generated to sign UEFI binaries. Introduce uefi-secureboot machine feature, which is being used to conditionally set the proper UEFI settings in recipes. Replace Grub bootloader with systemd-boot, which it makes easier to enable Secure Boot. Advantages using systemd as Init Manager: - Extending secure boot to userspace is a lot easier with systemd than with sysvinit where custom scripts will need to be written for all use cases. - systemd supports dm-verity and TPM devices for encryption usecases out of the box. Enabling them is a lot easier than writing custom scripts for sysvinit. - systemd also supports EUFI signing the UKI binaries which merge kernel, command line and initrd which helps in bringing secure boot towards rootfs. - systemd offers a modular structure with unit files that are more predictable and easier to manage than the complex and varied scripts used by SysVinit. This modularity allows for better control and customization of the boot process, which is beneficial in Secure Boot environments. - Add CI settings to build and test UEFI Secure Boot. Add one test to verify Secure Boot using OE Testing infraestructure: $ kas build ci/qemuarm64-secureboot.yml:ci/meta-secure-core.yml:ci/uefi-secureboot.yml:ci/testimage.yml ... RESULTS - uefi_secureboot.UEFI_SB_TestSuite.test_uefi_secureboot: PASSED (0.62s) ... SUMMARY: core-image-base () - Ran 73 tests in 28.281s core-image-base - OK - All required tests passed (successes=19, skipped=54, failures=0, errors=0) Signed-off-by: Javier Tia <javier.tia@linaro.org> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> [yml file include fix] Signed-off-by: Jon Mason <jon.mason@arm.com>
37 lines
1.0 KiB
YAML
37 lines
1.0 KiB
YAML
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
|
|
|
|
# UEFI Secure Boot: A mechanism to ensure that only trusted software is executed
|
|
# during the boot process.
|
|
|
|
header:
|
|
version: 14
|
|
includes:
|
|
- ci/meta-openembedded.yml
|
|
- ci/meta-secure-core.yml
|
|
|
|
local_conf_header:
|
|
uefi_secureboot: |
|
|
SBSIGN_KEYS_DIR = "${TOPDIR}/sbkeys"
|
|
BB_ENV_PASSTHROUGH_ADDITIONS = "SBSIGN_KEYS_DIR"
|
|
|
|
# Detected by passing kernel parameter
|
|
QB_KERNEL_ROOT = ""
|
|
|
|
# kernel is in the image, should not be loaded separately
|
|
QB_DEFAULT_KERNEL = "none"
|
|
|
|
WKS_FILE = "efi-disk.wks.in"
|
|
KERNEL_IMAGETYPE = "Image"
|
|
|
|
MACHINE_FEATURES:append = " efi uefi-secureboot"
|
|
|
|
EFI_PROVIDER = "systemd-boot"
|
|
|
|
# Use systemd as the init system
|
|
INIT_MANAGER = "systemd"
|
|
DISTRO_FEATURES:append = " systemd"
|
|
DISTRO_FEATURES_NATIVE:append = " systemd"
|
|
|
|
IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils"
|
|
|
|
TEST_SUITES:append = " uefi_secureboot" |