UEFI Secure Boot on arm64
by slac-in-the-box from LinuxQuestions.org on (#57AXH)
Greetings Globe.
In the Linux Kernel Administrators Guide, the EFI Boot Stub is thus summarized: Quote:
The description makes it seem possible, so out of curiosity and fun, I gave it a try, and compiled kernel for arm64 pinebookpro that came with das u-boot preloaded handling booting, and rockship soc, and I can get to the u-boot prompt by cancelling in time at the serial console connected to pinebook's uart, where, when I first tried to boot my kernel with config_efi_stub set, it reported that it found an efi_stub_kernel, but there were no valid signatures.
So I read up on signatures, and installed sbsign and efitools on x64fullslac, and mounted the microsd card that contained an efi partition with the efi_stub_kernel I had created, and another ext4 with slarm64base, that the stub kernel was configured to boot.
Following these notes on how to efi_boot for x86, I created some certificates and keys as follows: Code:# create a PK key
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my PK name/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256
# create a KEK key
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my KEK name/" -keyout KK.key -out KK.crt -days 3650 -nodes -sha256
# create a db key
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my db name/" -keyout db.key -out db.crt -days 3650 -nodes -sha256And finally, I used sbsign to sign the efi_kernel image
When trying to boot, the serial console now reports this error:
Code:EFI stub: ERROR: FIRMWARE BUG: efi_loaded_image_t::image_base has bogus valueIn his notes, greg had a bios device, and he had to replace his efi on that device with a keytool efi image that can be found in "setup mode", (with "secure boot" disabled in the bios), and the keytool updated the db.key, kek.key, and pk.key for the bios' with the keys he had created, so that, once secure boot was enabled again, it would recognize the signatures on his boot_stub kernel as valid and boot his kernel.
But how do I do that step with das u-boot? How do I tell the "secure-boot" feature of das u-boot about new db.key, kek.key, and pk.key ?
Has anyone ever sucessfully used efi_boot_stub enabled kernel with slackware on arm cpus?
I thought perhaps the keys would be u-boot environmental variables, as setting these variables seems like how u-boot works.
When I'm at the serial console, and use "printenv" (and I am using "screen /dev/ttyUSB0 1500000"), there are too many of the variables in the output for me to see all of them on one screen, and I don't seem to be able to scroll up to see if there are secure-boot related variables earlier in the output. Is there any ways to limit serial output in screen to one page at a time, like more or less on linux cli?
So that's where the adventure has lead so far. Any and all suggestions are treasures. Let's get slackware EFI_Stub bootable!
In the Linux Kernel Administrators Guide, the EFI Boot Stub is thus summarized: Quote:
| On the x86 and ARM platforms, a kernel zImage/bzImage can masquerade as a PE/COFF image, thereby convincing EFI firmware loaders to load it as an EFI executable. The code that modifies the bzImage header, along with the EFI-specific entry point that the firmware loader jumps to are collectively known as the EFI boot stub", and live in arch/x86/boot/header.S and arch/x86/boot/compressed/eboot.c, respectively. For ARM the EFI stub is implemented in arch/arm/boot/compressed/efi-header.S and arch/arm/boot/compressed/efi-stub.c. EFI stub code that is shared between architectures is in drivers/firmware/efi/libstub. For arm64, there is no compressed kernel support, so the Image itself masquerades as a PE/COFF image and the EFI stub is linked into the kernel. The arm64 EFI stub lives in arch/arm64/kernel/efi-entry.S and drivers/firmware/efi/libstub/arm64-stub.c. By using the EFI boot stub it's possible to boot a Linux kernel without the use of a conventional EFI boot loader, such as grub or elilo. Since the EFI boot stub performs the jobs of a boot loader, in a certain sense it IS the boot loader. The EFI boot stub is enabled with the CONFIG_EFI_STUB kernel option. |
So I read up on signatures, and installed sbsign and efitools on x64fullslac, and mounted the microsd card that contained an efi partition with the efi_stub_kernel I had created, and another ext4 with slarm64base, that the stub kernel was configured to boot.
Following these notes on how to efi_boot for x86, I created some certificates and keys as follows: Code:# create a PK key
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my PK name/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256
# create a KEK key
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my KEK name/" -keyout KK.key -out KK.crt -days 3650 -nodes -sha256
# create a db key
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my db name/" -keyout db.key -out db.crt -days 3650 -nodes -sha256And finally, I used sbsign to sign the efi_kernel image
When trying to boot, the serial console now reports this error:
Code:EFI stub: ERROR: FIRMWARE BUG: efi_loaded_image_t::image_base has bogus valueIn his notes, greg had a bios device, and he had to replace his efi on that device with a keytool efi image that can be found in "setup mode", (with "secure boot" disabled in the bios), and the keytool updated the db.key, kek.key, and pk.key for the bios' with the keys he had created, so that, once secure boot was enabled again, it would recognize the signatures on his boot_stub kernel as valid and boot his kernel.
But how do I do that step with das u-boot? How do I tell the "secure-boot" feature of das u-boot about new db.key, kek.key, and pk.key ?
Has anyone ever sucessfully used efi_boot_stub enabled kernel with slackware on arm cpus?
I thought perhaps the keys would be u-boot environmental variables, as setting these variables seems like how u-boot works.
When I'm at the serial console, and use "printenv" (and I am using "screen /dev/ttyUSB0 1500000"), there are too many of the variables in the output for me to see all of them on one screen, and I don't seem to be able to scroll up to see if there are secure-boot related variables earlier in the output. Is there any ways to limit serial output in screen to one page at a time, like more or less on linux cli?
So that's where the adventure has lead so far. Any and all suggestions are treasures. Let's get slackware EFI_Stub bootable!