Re: secure boot w/ Mender bzImage fails validation #dunfell
|
Leo
Hi Casey, I've recently had to activate secureboot on some uefi target. I was trying to use meta-secure-core/meta-efi-secure-boot aft first, but after digging a bit more into meta-intel, I've discovered that the implementation of meta-intel is cleaner and simpler than in meta-secure-core. If you are not interested about using microsoft certificates and the complicated shim + grub combo and that would plan to provision your own certificate in the firmware (which was what I wanted), I think meta-intel is a beter approach. Meta-intel leverate what they call "comboapp": https://git.yoctoproject.org/meta-intel/tree/classes/uefi-comboapp.bbclass It is a bundle of systemd-boot (a minimal uefi osloader implementation from systemd, previously gummiboot) with the kernel, cmdline and optionally a initramfs, furthermore it provide some clean and simple class to only sign an uefi binary: https://git.yoctoproject.org/meta-intel/tree/classes/uefi-sign.bbclass, if the uefi kernel stub is enough for your use case (which was my case) I do not know if you really need to keep grub, but if you can replace it with systemd boot and this uefi combo app from meta-intel layer (or more simply only use uefi kernel stub with a bundled initramfs), I think it could simplify a lot your boot process thus it will be simpler to implement an OTA solution with Mender. This is something that I will eventually try to achieve in the near future, so I will keep you posted about my progress if you are interested. Hope this will help you. Regards, -- Léo Le sam. 9 avr. 2022 à 16:38, Ballentine, Casey via lists.yoctoproject.org <casey.ballentine=essvote.com@...> a écrit : Hello, -- Léo |
|
|