Hi Jonas,
On 19/08/2024 15:11, Jonas Kvinge wrote:
Hi,
I have a custom installation of openSUSE Tumbleweed which uses u-boot
and Grub.
To use secure boot on the RPI, one creates a boot.img containing the
kernel and other files which is signed, and the eeprom is locked to
only allow booting with this signature.
(https://github.com/raspberrypi/usbboot/blob/master/secure-boot-recovery/README.md
).
Since I'm using u-boot, I'm creating a boot.img containing u-boot.bin
instead of the linux kernel and ramdisk.
But then nothing is locking down which kernel can boot, since that's
controller by UEFI and Grub. u-boot starts Grub from the UEFI
partition, and Grub starts the kernel from a separate /boot partition.
And I see no way to change this
I use a 3 partition setup where the partitions are 1. FAT UEFI
partition, 2. Linux ext4 /boot partition, 3. Encrypted LUKS ext4 root
partition.
I've been looking into
https://trac.gateworks.com/wiki/secure_boot#SecuringtheKernelFDTramdiskviaFITimages
But is that possible to do with my current setup? Can I include grub
and the kernel/initrd in the boot.img and make u-boot use that instead
of from the UEFI partition?
I don't know the details of how this is implemented, but the way to
solve this is by doing EFI secureboot in U-Boot. The trick is to embed
the securebook public key hash into U-Boot, there it will be validated
by the bootrom stage and can be trusted to validate the signed kernel EFI.
The kernel would then need to be booted as a "UKI" (refer to the uapi
group uki docs), this embeds the kernel, ramdisk, and DTB into a single
EFI image which can be signed and verified.
Hopefully this points you in the right direction.
Kind regards,
Jonas
--
// Caleb (they/them)
