diff mbox series

[RFC] uki: Example usage of uki.bbclass

Message ID 20230901233303.1109826-1-michelle.linto91@gmail.com
State New
Headers show
Series [RFC] uki: Example usage of uki.bbclass | expand

Commit Message

Michelle Lin Sept. 1, 2023, 11:33 p.m. UTC 
This patch contains an example recipe, core-image-minimal-uki.bb, on how to use
the uki.bbclass. The recipe specifies the need for a config file to be passed to
SRC_URI if the UKI is to be signed. The config file simplifies the usage of the
class by allowing the user to organize, manage, and customize the settings for
signing the UKI (i.e. SecureBoot, PCR signing). See systemd Ukify documentation
for a detailed rundown of the syntax
(https://www.freedesktop.org/software/systemd/man/ukify.html). If the config
file is not present nor specified in the recipe, the UKI will be unsigned when
built.

Signed-off-by: Michelle Lin <michelle.linto91@gmail.com>
---
 .../core-image-minimal-uki.bb                 | 11 +++++++++++
 .../core-image-minimal-uki.conf               | 19 +++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki.bb
 create mode 100644 meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki/core-image-minimal-uki.conf
diff mbox series

Patch

diff --git a/meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki.bb b/meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki.bb
new file mode 100644
index 0000000000..5cdf46a35c
--- /dev/null
+++ b/meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki.bb
@@ -0,0 +1,11 @@ 
+SUMMARY = "Overlake UKI creation with signing"
+
+require ../../recipes-core/images/core-image-minimal.bb
+inherit uki
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/core-image-minimal-uki:"
+
+# To sign the UKI, you must specify the path to the config file containing the key/cert filepaths for signing.
+# If SRC_URI doesn't specify the path to the config file, the UKI will build but remained unsigned.
+
+# SRC_URI:append = " file://core-image-minimal-uki.conf"
diff --git a/meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki/core-image-minimal-uki.conf b/meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki/core-image-minimal-uki.conf
new file mode 100644
index 0000000000..6e331ff1ae
--- /dev/null
+++ b/meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki/core-image-minimal-uki.conf
@@ -0,0 +1,19 @@ 
+#
+# This file is your configuration file where settings for signing the UKI can be specified. 
+# You must specify the path to the proper paths to the key/cert files in order to sign the UKI. Otherwise, the image will be built unsigned.
+#
+# SecureBoot Signing
+#
+[UKI]
+SecureBootPrivateKey=<private-key>
+SecureBootCertificate=<certificate>
+#
+# PCR Signature
+#
+[PCRSignature:initrd]
+PCRPrivateKey=<private-key>
+PCRPublicKey=<public-key>
+
+[PCRSignature:system]
+PCRPrivateKey=<private-key>
+PCRPublicKey=<public-key>