[meta-intel] [PATCH RFC 0/4] Super simple secure boot implementation not requiring combo app
California Sullivan
california.l.sullivan at intel.com
Fri Jul 14 19:11:57 PDT 2017
I'm not sure why I never tried just signing the kernel and systemd-boot,
but it works. If either one is not signed, it causes gives a security
violation error.
A con of this implementation is that unlike the combo app, we don't
inherently validate the initrd. In the future we could require that
an initrd is not used with secure boot unless the combo app is chosen.
Obviously some cleanup is needed on my old work should we go this route,
but its the end of a friday and I wanted to get some feedback on this.
If you want to test it out you can pull my branch clsulliv/secureboot-simple.
---
Cal
California Sullivan (4):
classes: Add uefi-sign.bbclass
systemd-boot: Add uefi-sign bbclass to sign bootloader
linux-intel: Add uefi-sign bbclass to sign kernel
meta-intel.inc: Add secureboot to valid IMAGE_FEATURES
classes/uefi-sign.bbclass | 52 ++++++++++++++++++++++
.../systemd-boot/systemd-boot_%.bbappend | 3 ++
common/recipes-kernel/linux/linux-intel_4.9.bb | 5 ++-
conf/machine/include/meta-intel.inc | 2 +
4 files changed, 61 insertions(+), 1 deletion(-)
create mode 100644 classes/uefi-sign.bbclass
--
2.9.4
More information about the meta-intel
mailing list