From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7180261367669063680
X-Received: by 2002:a05:600c:3509:b0:3d2:3a0e:c8f8 with SMTP id h9-20020a05600c350900b003d23a0ec8f8mr443872wmq.107.1671784877572;
        Fri, 23 Dec 2022 00:41:17 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a05:600c:1d12:b0:3cf:9be3:73dd with SMTP id
 l18-20020a05600c1d1200b003cf9be373ddls857730wms.3.-pod-canary-gmail; Fri, 23
 Dec 2022 00:41:16 -0800 (PST)
X-Google-Smtp-Source: AMrXdXvaZGHA+yp1IiGPJR7xjDwmDgiSDrdZiebxIgntlXfR59MP9Akj5zynlGo6Tkis4I7tF1Q4
X-Received: by 2002:a05:600c:4193:b0:3c6:e60f:3f4f with SMTP id p19-20020a05600c419300b003c6e60f3f4fmr6410735wmh.6.1671784876122;
        Fri, 23 Dec 2022 00:41:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671784876; cv=none;
        d=google.com; s=arc-20160816;
        b=er2l47ebGawZZdNLzrrJP08Q0YKOmzin56jmYfOuAh+dCqcovf70v2JfvPBV9+4Rt8
         hfSLV+R/8D9aitwyXcdoiKQBiftFCpTXEKcu8pWY3pSS1Zk8hOVWcvHSFPoj0Jap4zI0
         XM0QQiRuZdTLzlu6ELWl+zAlE2ypACT5jqf8OWPxApuOC34XBCUhz77umBGdSyVFH7CF
         fvJJo2TnlK8aWKCoakBW1n82Z7V6SW8uk//Ieaf5IS0b2ohXsMJUZMyZBxCyuAaH/5Gy
         xTh7L4kZg0CmVUsCKqX/ACdac1+i0C1QJSH11BxM6mYLQDIyeVQjx75x7sdKsvu/3Icb
         cBKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=feedback-id:content-transfer-encoding:mime-version:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=LVoXUFooifzXWHwNZjH2bg2ZjQnPvF20n8ly/gflADo=;
        b=bGxRWowr4P0I5uGr3nBgZhMLVrv97Wm+qgWPz1xYvSl1rKub4xEpC0cEfqj/4aUHQt
         LA2yIc3kHxUPPLwMl5+1TsHArkRtzdeg1NSrRi+UzSxtxkapETvvyUclrLxX9waq8yKB
         X6fY/wJILN4irsr35qyQo/yIqf4sjLm9Xw+VnDsrpfhpM0KOZou78s1RlPEWaYbMFCGB
         sGWcZDuPL13+fUdBHmDMWi6GY6lAx6WhxbZkiK99W9sbnBI3xJtSo4QKQuR+FkMhP2sx
         q27FtEnsf1Yedw/dm6n5bUhuT8bI7NGP5VvOhrTYjN9amQfBW8BUbCHZ0CEq4CxYyjcL
         1ftw==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=KjZkxnfX;
       spf=pass (google.com: domain of fm-72506-202212230841159009d853bd6b1299ae-4xzlrf@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-72506-202212230841159009d853bd6b1299ae-4xZlRf@rts-flowmailer.siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <fm-72506-202212230841159009d853bd6b1299ae-4xZlRf@rts-flowmailer.siemens.com>
Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227])
        by gmr-mx.google.com with ESMTPS id r13-20020adfdc8d000000b0023677081f0esi123998wrj.7.2022.12.23.00.41.16
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 23 Dec 2022 00:41:16 -0800 (PST)
Received-SPF: pass (google.com: domain of fm-72506-202212230841159009d853bd6b1299ae-4xzlrf@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=KjZkxnfX;
       spf=pass (google.com: domain of fm-72506-202212230841159009d853bd6b1299ae-4xzlrf@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-72506-202212230841159009d853bd6b1299ae-4xZlRf@rts-flowmailer.siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202212230841159009d853bd6b1299ae
        for <isar-users@googlegroups.com>;
        Fri, 23 Dec 2022 09:41:15 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=felix.moessbauer@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=LVoXUFooifzXWHwNZjH2bg2ZjQnPvF20n8ly/gflADo=;
 b=KjZkxnfXjvwMpjBFvfWegdfOgq0Ry5Us5wLjNWb4w1Fc/yGojdSvOVF9AZS9owJm6W9LgO
 pbv3YPhqIxyIjfUiDvbS5dBeFTfTizEwDnPuWUlN8mQ1090/v4p3To5uIasp6lXDgtwGxo+S
 QJPQG5C71PBUgDCDVW4PgavxIADDQ=;
From: Felix Moessbauer <felix.moessbauer@siemens.com>
To: isar-users@googlegroups.com
Cc: tobias.preclik@siemens.com,
	christian.storm@siemens.com,
	Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: [PATCH 01/10] wic: add option to use debian EFI shim
Date: Fri, 23 Dec 2022 08:40:49 +0000
Message-Id: <20221223084058.1899957-2-felix.moessbauer@siemens.com>
In-Reply-To: <20221223084058.1899957-1-felix.moessbauer@siemens.com>
References: <20221223084058.1899957-1-felix.moessbauer@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-72506:519-21489:flowmailer
X-TUID: aAfTZm803hi3

This patch extends the bootimg-efi-isar WIC plugin by adding support for
the debian SB boot chain. This is controlled by the source-params option
use-debian-sb-stub. When set to true, the EFI shim signed by Microsoft
is used as first-stage bootloader. This then loads the grubx64.efi
loader which is signed by the Debian UEFI CA. This loader then loads an
official debian kernel, also signed by Debian.

By that, no changes to the chain are possible and it can only be used to
boot stock debian kernels. Given these limitations, this pattern is very
useful to boot these images on systems where secure boot is enabled and
default (MS) keys are enrolled.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 .../lib/wic/plugins/source/bootimg-efi-isar.py   | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
index 006c8bc..139ef46 100644
--- a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
+++ b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
@@ -303,6 +303,10 @@ class BootimgEFIPlugin(SourcePlugin):
             if not kernel_dir:
                 raise WicError("Couldn't find DEPLOY_DIR_IMAGE, exiting")
 
+        if source_params.get('use-debian-sb-stub') == "true":
+            if get_bitbake_var("DISTRO_ARCH") != "amd64" or source_params['loader'] != 'grub-efi':
+                raise WicError("use-debian-sb-stub only supported in grub-efi on amd64")
+
         staging_kernel_dir = kernel_dir
 
         hdddir = "%s/hdd/boot" % cr_workdir
@@ -435,6 +439,18 @@ class BootimgEFIPlugin(SourcePlugin):
                     grub_cmd += "memdisk ls search_fs_uuid udf btrfs xfs lvm "
                     grub_cmd += "reiserfs regexp " + grub_modules
                     exec_cmd(grub_cmd)
+
+                if source_params.get('use-debian-sb-stub') == "true":
+                    files = [
+                        # src, efiname, mandatory
+                        ("/usr/lib/shim/shimx64.efi.signed", "bootx64.efi", True),
+                        ("/usr/lib/shim/mmx64.efi.signed", "mmx64.efi", False),
+                        ("/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed", "grubx64.efi", True)
+                    ]
+                    for s,e,m in files:
+                        cp_cmd = "cp %s %s/EFI/BOOT/%s" % (s, bootimg_dir, e)
+                        exec_cmd(cp_cmd, m)
+
             elif source_params['loader'] == 'systemd-boot':
                 # backup kernel dir before overwriting
                 kernel_dir_orig = kernel_dir
-- 
2.34.1