Re: secure boot w/ Mender bzImage fails validation #dunfell


Hi Casey,

I've recently had to activate secureboot on some uefi target.
I was trying to use meta-secure-core/meta-efi-secure-boot aft first, but after digging a bit more into meta-intel, I've discovered that the implementation of meta-intel is cleaner and simpler than in meta-secure-core.
If you are not interested about using microsoft certificates and the complicated shim + grub combo and that would plan to provision your own certificate in the firmware (which was what I wanted), I think meta-intel is a beter approach.
It is a bundle of systemd-boot (a minimal uefi osloader implementation from systemd, previously gummiboot) with the kernel, cmdline and optionally a initramfs, furthermore it provide some clean and simple class to only sign an uefi binary:, if the uefi kernel stub is enough for your use case (which was my case)
I do not know if you really need to keep grub, but if you can replace it with systemd boot and this uefi combo app from meta-intel layer (or more simply only use uefi kernel stub with a bundled initramfs), I think it could simplify a lot your boot process thus it will be simpler to implement an OTA solution with Mender.
This is something that I will eventually try to achieve in the near future, so I will keep you posted about my progress if you are interested.

Hope this will help you.

Le sam. 9 avr. 2022 à 16:38, Ballentine, Casey via <> a écrit :

We have an Intel Elkhart Lake device that we are trying to get Secure Boot (via meta-secure-core/meta-efi-secure-boot SELoader) working on using the Dunfell release. This device uses Mender for updates via USB. We have Secure Boot working successfully on a similar device, but that device does not employ Mender.

On the HDD image, /boot/bzImage and /boot/bzImage.p7b (the detached digital signature) are present, as are the set of GRUB artifacts in /boot/efi/BOOT/EFI. As a side note, we do not use an initramfs.

Grub and grub.cfg validate on boot, but /boot/bzImage does not.

I've read that SELoader can't access anything outside of the /efi partition. If that's correct, how do we work around this issue?

Thanks for any help, and let me know if you need further information.



Join to automatically receive all group messages.