[PATCH 01/10] wic: add option to use debian EFI shim

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

From: Felix Moessbauer <felix.moessbauer@siemens.com>
To: isar-users@googlegroups.com
Cc: tobias.preclik@siemens.com, christian.storm@siemens.com,
	Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: [PATCH 01/10] wic: add option to use debian EFI shim
Date: Fri, 23 Dec 2022 08:40:49 +0000	[thread overview]
Message-ID: <20221223084058.1899957-2-felix.moessbauer@siemens.com> (raw)
In-Reply-To: <20221223084058.1899957-1-felix.moessbauer@siemens.com>

This patch extends the bootimg-efi-isar WIC plugin by adding support for
the debian SB boot chain. This is controlled by the source-params option
use-debian-sb-stub. When set to true, the EFI shim signed by Microsoft
is used as first-stage bootloader. This then loads the grubx64.efi
loader which is signed by the Debian UEFI CA. This loader then loads an
official debian kernel, also signed by Debian.

By that, no changes to the chain are possible and it can only be used to
boot stock debian kernels. Given these limitations, this pattern is very
useful to boot these images on systems where secure boot is enabled and
default (MS) keys are enrolled.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 .../lib/wic/plugins/source/bootimg-efi-isar.py   | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
index 006c8bc..139ef46 100644
--- a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
+++ b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
@@ -303,6 +303,10 @@ class BootimgEFIPlugin(SourcePlugin):
             if not kernel_dir:
                 raise WicError("Couldn't find DEPLOY_DIR_IMAGE, exiting")
 
+        if source_params.get('use-debian-sb-stub') == "true":
+            if get_bitbake_var("DISTRO_ARCH") != "amd64" or source_params['loader'] != 'grub-efi':
+                raise WicError("use-debian-sb-stub only supported in grub-efi on amd64")
+
         staging_kernel_dir = kernel_dir
 
         hdddir = "%s/hdd/boot" % cr_workdir
@@ -435,6 +439,18 @@ class BootimgEFIPlugin(SourcePlugin):
                     grub_cmd += "memdisk ls search_fs_uuid udf btrfs xfs lvm "
                     grub_cmd += "reiserfs regexp " + grub_modules
                     exec_cmd(grub_cmd)
+
+                if source_params.get('use-debian-sb-stub') == "true":
+                    files = [
+                        # src, efiname, mandatory
+                        ("/usr/lib/shim/shimx64.efi.signed", "bootx64.efi", True),
+                        ("/usr/lib/shim/mmx64.efi.signed", "mmx64.efi", False),
+                        ("/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed", "grubx64.efi", True)
+                    ]
+                    for s,e,m in files:
+                        cp_cmd = "cp %s %s/EFI/BOOT/%s" % (s, bootimg_dir, e)
+                        exec_cmd(cp_cmd, m)
+
             elif source_params['loader'] == 'systemd-boot':
                 # backup kernel dir before overwriting
                 kernel_dir_orig = kernel_dir
-- 
2.34.1

next prev parent reply	other threads:[~2022-12-23  8:41 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-23  8:40 [PATCH 00/10] Add support for secureboot using Debian boot chain Felix Moessbauer
2022-12-23  8:40 ` Felix Moessbauer [this message]
2022-12-23  8:40 ` [PATCH 02/10] add debian sb chain bootloader dependencies Felix Moessbauer
2022-12-23  8:40 ` [PATCH 03/10] add example wic file for sb debian boot chain Felix Moessbauer
2022-12-23  8:40 ` [PATCH 04/10] style: split overlong line in module.inc Felix Moessbauer
2022-12-23  8:40 ` [PATCH 05/10] add support to sign kernel modules Felix Moessbauer
2022-12-23  8:40 ` [PATCH 06/10] add example to generated and distribute MOK data Felix Moessbauer
2023-02-03  6:05   ` Jan Kiszka
2022-12-23  8:40 ` [PATCH 07/10] add signed variant of example-module Felix Moessbauer
2022-12-23  8:40 ` [PATCH 08/10] add new machine qemuamd64-sb and corresponding mc Felix Moessbauer
2022-12-23  8:40 ` [PATCH 09/10] fix: only append kargs and extra_kargs if set Felix Moessbauer
2022-12-23  8:40 ` [PATCH 10/10] start_vm: add support for secureboot Felix Moessbauer
2023-01-27  5:07   ` Uladzimir Bely
2023-01-27  8:11     ` Moessbauer, Felix
2023-01-27  8:41       ` Florian Bezdeka
2023-01-27  9:10         ` Uladzimir Bely
2023-01-25  7:17 ` [PATCH 00/10] Add support for secureboot using Debian boot chain Uladzimir Bely

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221223084058.1899957-2-felix.moessbauer@siemens.com \
    --to=felix.moessbauer@siemens.com \
    --cc=christian.storm@siemens.com \
    --cc=isar-users@googlegroups.com \
    --cc=tobias.preclik@siemens.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox