[meta-intel] [PATCH RFC 0/4] Super simple secure boot implementation not requiring combo app
Cal Sullivan
california.l.sullivan at intel.com
Fri Jul 14 19:13:48 PDT 2017
+ Patrick (mistyped email address).
---
Cal
On 07/14/2017 07:11 PM, California Sullivan wrote:
> I'm not sure why I never tried just signing the kernel and systemd-boot,
> but it works. If either one is not signed, it causes gives a security
> violation error.
>
> A con of this implementation is that unlike the combo app, we don't
> inherently validate the initrd. In the future we could require that
> an initrd is not used with secure boot unless the combo app is chosen.
>
> Obviously some cleanup is needed on my old work should we go this route,
> but its the end of a friday and I wanted to get some feedback on this.
>
> If you want to test it out you can pull my branch clsulliv/secureboot-simple.
>
> ---
> Cal
>
>
> California Sullivan (4):
> classes: Add uefi-sign.bbclass
> systemd-boot: Add uefi-sign bbclass to sign bootloader
> linux-intel: Add uefi-sign bbclass to sign kernel
> meta-intel.inc: Add secureboot to valid IMAGE_FEATURES
>
> classes/uefi-sign.bbclass | 52 ++++++++++++++++++++++
> .../systemd-boot/systemd-boot_%.bbappend | 3 ++
> common/recipes-kernel/linux/linux-intel_4.9.bb | 5 ++-
> conf/machine/include/meta-intel.inc | 2 +
> 4 files changed, 61 insertions(+), 1 deletion(-)
> create mode 100644 classes/uefi-sign.bbclass
>
More information about the meta-intel
mailing list