secure boot w/ Mender bzImage fails validation #dunfell


Jonas Andersson
 

Hi

If OTA updates is not an option maybe RAUC can be an option for you?

/Jonas Andersson

21 apr. 2022 kl. 17:54 skrev Leo <sartre.leo@...>:


Hi Casey,

Please have a look at https://git.yoctoproject.org/meta-intel/tree/classes/uefi-sign.bbclass, with this class you can sign a bzimage compiled with the kernel efi stub.

Regards
--
Léo

Le jeu. 21 avr. 2022 à 16:13, Ballentine, Casey via lists.yoctoproject.org <casey.ballentine=essvote.com@...> a écrit :
Unfortunately, the uefi-comboapp requires systemd-boot, which Mender doesn't currently support with mender-partuuid which our system requires for software updates over USB. Our devices aren't connected to the internet so OTA updates aren't an option for us. I've started a discussion on Mender.io to see if someone there can help us solve this issue, but in the meantime, any thoughts/suggestions are certainly appreciated!

-Casey




--
Léo




Leo
 

Hi Casey,

Please have a look at https://git.yoctoproject.org/meta-intel/tree/classes/uefi-sign.bbclass, with this class you can sign a bzimage compiled with the kernel efi stub.

Regards
--
Léo


Le jeu. 21 avr. 2022 à 16:13, Ballentine, Casey via lists.yoctoproject.org <casey.ballentine=essvote.com@...> a écrit :
Unfortunately, the uefi-comboapp requires systemd-boot, which Mender doesn't currently support with mender-partuuid which our system requires for software updates over USB. Our devices aren't connected to the internet so OTA updates aren't an option for us. I've started a discussion on Mender.io to see if someone there can help us solve this issue, but in the meantime, any thoughts/suggestions are certainly appreciated!

-Casey




--
Léo


Ballentine, Casey
 

Unfortunately, the uefi-comboapp requires systemd-boot, which Mender doesn't currently support with mender-partuuid which our system requires for software updates over USB. Our devices aren't connected to the internet so OTA updates aren't an option for us. I've started a discussion on Mender.io to see if someone there can help us solve this issue, but in the meantime, any thoughts/suggestions are certainly appreciated!

-Casey


Leo
 

Hi Casey,

I've recently had to activate secureboot on some uefi target.
I was trying to use meta-secure-core/meta-efi-secure-boot aft first, but after digging a bit more into meta-intel, I've discovered that the implementation of meta-intel is cleaner and simpler than in meta-secure-core.
If you are not interested about using microsoft certificates and the complicated shim + grub combo and that would plan to provision your own certificate in the firmware (which was what I wanted), I think meta-intel is a beter approach.
It is a bundle of systemd-boot (a minimal uefi osloader implementation from systemd, previously gummiboot) with the kernel, cmdline and optionally a initramfs, furthermore it provide some clean and simple class to only sign an uefi binary: https://git.yoctoproject.org/meta-intel/tree/classes/uefi-sign.bbclass, if the uefi kernel stub is enough for your use case (which was my case)
I do not know if you really need to keep grub, but if you can replace it with systemd boot and this uefi combo app from meta-intel layer (or more simply only use uefi kernel stub with a bundled initramfs), I think it could simplify a lot your boot process thus it will be simpler to implement an OTA solution with Mender.
This is something that I will eventually try to achieve in the near future, so I will keep you posted about my progress if you are interested.

Hope this will help you.
Regards,
--
Léo


Le sam. 9 avr. 2022 à 16:38, Ballentine, Casey via lists.yoctoproject.org <casey.ballentine=essvote.com@...> a écrit :
Hello,

We have an Intel Elkhart Lake device that we are trying to get Secure Boot (via meta-secure-core/meta-efi-secure-boot SELoader) working on using the Dunfell release. This device uses Mender for updates via USB. We have Secure Boot working successfully on a similar device, but that device does not employ Mender.

On the HDD image, /boot/bzImage and /boot/bzImage.p7b (the detached digital signature) are present, as are the set of GRUB artifacts in /boot/efi/BOOT/EFI. As a side note, we do not use an initramfs.

Grub and grub.cfg validate on boot, but /boot/bzImage does not.

I've read that SELoader can't access anything outside of the /efi partition. If that's correct, how do we work around this issue?

Thanks for any help, and let me know if you need further information.

Best,
Casey




--
Léo


Ballentine, Casey
 

Hello,

We have an Intel Elkhart Lake device that we are trying to get Secure Boot (via meta-secure-core/meta-efi-secure-boot SELoader) working on using the Dunfell release. This device uses Mender for updates via USB. We have Secure Boot working successfully on a similar device, but that device does not employ Mender.

On the HDD image, /boot/bzImage and /boot/bzImage.p7b (the detached digital signature) are present, as are the set of GRUB artifacts in /boot/efi/BOOT/EFI. As a side note, we do not use an initramfs.

Grub and grub.cfg validate on boot, but /boot/bzImage does not.

I've read that SELoader can't access anything outside of the /efi partition. If that's correct, how do we work around this issue?

Thanks for any help, and let me know if you need further information.

Best,
Casey