These changes enable building systemd uki images which combine kernel, kernel command line, initrd and possibly signatures to a single UEFI binary. This binary can be booted with UEFI firmware and systemd-boot. No grub is needed and UEFI firmware and/or systemd-boot provide possibilities for boot menus. The uki binary can also be signed for UEFI secure boot so the secure boot extends from firmware to kernel and initrd. Binding secure boot to full userspace is then easier since for example kernel command line and initrd contain the support needed to mount encrypted dm-verity etc partitions, and/or create partitions on demand with systemd-repart using device specific TPM devices for encryption.
Tested on qemuarm64-secureboot machine from meta-arm with changes to support secure boot. Slightly different configuration tested on multiple arm64 System Ready boards with UEFI firmware, real and firmware based TPM devices. Michelle Lin (1): uki.bbclass: add class for building Unified Kernel Images (UKI) Mikko Rapeli (1): systemd-boot-native: add runtime dependency to python3-pefile-native meta/classes-recipe/uki.bbclass | 158 ++++++++++++++++++ .../systemd/systemd-boot-native_256.5.bb | 2 + 2 files changed, 160 insertions(+) create mode 100644 meta/classes-recipe/uki.bbclass -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204090): https://lists.openembedded.org/g/openembedded-core/message/204090 Mute This Topic: https://lists.openembedded.org/mt/108223983/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
