Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial implementation for Secure boot support #1589

Merged
merged 25 commits into from
Feb 26, 2024
Merged

Initial implementation for Secure boot support #1589

merged 25 commits into from
Feb 26, 2024

Commits on Feb 26, 2024

  1. sys-boot/mokutil: Add from Gentoo 

    It's from Gentoo commit cf90a21600e8d81c12b7e1143f43cd28f58dd70d.
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    6e497db View commit details
    Browse the repository at this point in the history

  2. coreo-base/coreos: Add mokutil to the base amd64 image 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    984233b View commit details
    Browse the repository at this point in the history

  3. sys-firmware/edk2-aarch64: drop old package and replace with new 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    ceb1480 View commit details
    Browse the repository at this point in the history

  4. coreos-devel/board-packages: remove edk2-ovmf from arm64 dependencies 

    This package is not used, we use edk2-aarch64 on arm64 but and it is
fetched during image_to_vm.sh because the ebuild simply wraps a binary
file.

Original Author: Jeremi Piotrowski <jpiotrowski@microsoft.com>

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    af68df3 View commit details
    Browse the repository at this point in the history

  5. eclass/rpm: Add from Gentoo 

    It's from Gentoo commit 78e5f99cb41eaa50da930e7ab2dc7993fa243e1f.
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    58806c5 View commit details
    Browse the repository at this point in the history

  6. vm_image_util.sh: update path to arm64 UEFI firmware 

    The arm64 firmware is now called AAVMF with the updated edk2-aarch64
ebuild.
    @jepio @pothos
    jepio authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    8019f7f View commit details
    Browse the repository at this point in the history

  7. sys-boot/shim: updates to 15.7 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    fc4acb6 View commit details
    Browse the repository at this point in the history

  8. sys-boot/shim: make the shim buildable 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    65fe1f4 View commit details
    Browse the repository at this point in the history

  9. coreos-sb-keys: Add the shim keys 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    348a262 View commit details
    Browse the repository at this point in the history

  10. sys-boot/shim: Update shim to include signing keys, and build mm.efi 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    b42e3ad View commit details
    Browse the repository at this point in the history

  11. grub_install.sh: Sign the GRUB/MM with the proper keys 

    Add the linux.mod file back

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    0479480 View commit details
    Browse the repository at this point in the history

  12. grub_install: switch to BOARD_GRUB by default 

    Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
    @jepio @pothos
    jepio authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    6455625 View commit details
    Browse the repository at this point in the history

  13. sys-boot/grub: install file with sbat contents, add --sbat to script 

    This is just the contents of the section, but the section
itself is written by grub-mkimage. sbat.csv needs to be passed
with --sbat.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    fc28e72 View commit details
    Browse the repository at this point in the history

  14. Add support for secure boot in qemu_template.sh 

    We have an existing qemu_uefi_secure format definition, but it is
necessary to update it so that it actually works. Qemu needs to be
passed the correct flags to enable SMM, we need to switch to the Q35
machine, and we need to copy over the secboot variant of the OVMF
firmware.
    @jepio @pothos
    jepio authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    6ff9f8b View commit details
    Browse the repository at this point in the history

  15. build_image_util: Sign the vmlinuz with the shim key 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    c1bdbd9 View commit details
    Browse the repository at this point in the history

  16. build_library: Drop redundant config from grub.cfg 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    0400565 View commit details
    Browse the repository at this point in the history

  17. sys-boot/shim: Move from cros_workon to upstream 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    97ebc77 View commit details
    Browse the repository at this point in the history

  18. sys-boot/grub: Make sed silently fail when updating sbat 

    Co-authored-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
    @sayanchowdhury @tormath1 @pothos
    2 people authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    4648be9 View commit details
    Browse the repository at this point in the history

  19. shim, coreos-sb-keys, grub_install.sh: retab to spaces 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    99bfcf5 View commit details
    Browse the repository at this point in the history

  20. sys-boot/shim: Add the changelog for shim upgrade, and secureboot 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    0fc380c View commit details
    Browse the repository at this point in the history

  21. vendor-testing: Add qemu_uefi_secure, symlinked to qemu.sh 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    16b3a2a View commit details
    Browse the repository at this point in the history

  22. .github/workflow: Add the packages to automation list 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    3bc6944 View commit details
    Browse the repository at this point in the history

  23. grub_install.sh: ship mokmanager, and rename to grubx64 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    52ce21a View commit details
    Browse the repository at this point in the history

  24. ci-automation: Update to include the qemu_uefi_secure test 

    Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
    @sayanchowdhury @pothos
    sayanchowdhury authored and pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    3627046 View commit details
    Browse the repository at this point in the history

  25. sys-boot/shim: Update to 15.8

    @pothos
    pothos committed Feb 26, 2024
    Configuration menu
    Copy the full SHA
    7db81c2 View commit details
    Browse the repository at this point in the history