On Wed, Oct 9, 2024 at 8:27 AM Mikko Rapeli via lists.openembedded.org <[email protected]> wrote: > > From: Michelle Lin <[email protected]> > > This class calls systemd ukify tool, which will combine > kernel/initrd/stub components to build the UKI. To sign the UKI > (i.e. SecureBoot), the keys/cert files can be specified > in a configuration file or UEFI binary signing can be done > via separate steps, see qemuarm64-secureboot in meta-arm. > UKIs are loaded by UEFI firmware on target which can improve > security by loading only correctly signed kernel, initrd and kernel > command line. > > Using systemd-measure to pre-calculate TPM PCR values and sign them is > not supported since that requires a TPM device on the build host. Thus > "ConditionSecurity=measured-uki" default from systemd 256 does not work > but "ConditionSecurity=tpm2" in combination with secure boot will. > These can be used to boot securely into systemd-boot, kernel, kernel > command line and initrd which then securely mounts a read-only dm-verity > /usr partition and creates a TPM encrypted read-write / rootfs. > > Tested via qemuarm64-secureboot in meta-arm with > https://lists.yoctoproject.org/g/meta-arm/topic/patch_v3_02_13/108031399 > and a few more changes needed, will be posted separately. > > Signed-off-by: Michelle Lin <[email protected]> > Acked-by: Erik Schilling <[email protected]> > Signed-off-by: Mikko Rapeli <[email protected]> > --- > meta/classes-recipe/uki.bbclass | 197 ++++++++++++++++++++++++++++++++ > 1 file changed, 197 insertions(+) > create mode 100644 meta/classes-recipe/uki.bbclass > > diff --git a/meta/classes-recipe/uki.bbclass b/meta/classes-recipe/uki.bbclass > new file mode 100644 > index 0000000000..fac50ea8ca > --- /dev/null > +++ b/meta/classes-recipe/uki.bbclass > @@ -0,0 +1,197 @@ > +# Unified kernel image (UKI) class > +# > +# This bbclass merges kernel, initrd etc as a UKI standard UEFI binary, > +# to be loaded with UEFI firmware and systemd-boot on target HW. > +# TPM PCR pre-calculation is not supported since systemd-measure tooling > +# is meant to run on target, not in cross compile environment. > +# > +# See: > +# https://www.freedesktop.org/software/systemd/man/latest/ukify.html > +# https://uapi-group.org/specifications/specs/unified_kernel_image/ > +# > +# The UKI contains: > +# > +# - UEFI stub > +# The linux kernel can generate a UEFI stub, however the one from > systemd-boot can fetch > +# the command line from a separate section of the EFI application, > avoiding the need to > +# rebuild the kernel. > +# - kernel > +# - initramfs > +# - kernel command line > +# - uname -r kernel version > +# - /etc/os-release to create a boot menu with version details > +# - optionally secure boot signature(s) > +# - other metadata (e.g. TPM PCR measurements) > +# > +# Usage instructions: > +# > +# - requires UEFI compatible firmware on target, e.g. qemuarm64-secureboot > u-boot based > +# from meta-arm or qemux86 ovmf/edk2 based firmware for x86_64 > +# > +# - Distro/build config: > +# > +# INIT_MANAGER = "systemd" > +# MACHINE_FEATURES:append = " efi" > +# DISTRO_FEATURES:append = " systemd" > +# DISTRO_FEATURES_NATIVE:append = " systemd" > +# EFI_PROVIDER = "systemd-boot" > +# INITRAMFS_IMAGE = "core-image-minimal-initramfs" > +# > +# - image recipe: > +# > +# inherit uki
Wouldn't it be better if this was a kernel class instead, similar to how it is done with fitimage (via kernel-fitimage.bbclass)? I see a lot of similarities here, and it is confusing that one is done as a kernel class and the other is added by including in the image recipe instead. Thanks, -- Ricardo Salveti
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#205367): https://lists.openembedded.org/g/openembedded-core/message/205367 Mute This Topic: https://lists.openembedded.org/mt/108906947/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
