On Tue, 2024-08-20 at 16:29 +0200, Caleb Connolly wrote: > Hi Jonas, > > > I don't know the details of how this is implemented, but the way to > solve this is by doing EFI secureboot in U-Boot. The trick is to > embed > the securebook public key hash into U-Boot, there it will be > validated > by the bootrom stage and can be trusted to validate the signed kernel > EFI. > > The kernel would then need to be booted as a "UKI" (refer to the uapi > group uki docs), this embeds the kernel, ramdisk, and DTB into a > single > EFI image which can be signed and verified. > > Hopefully this points you in the right direction. >
Thanks, this got me a bit further, I have managed to produce a UKI using dracut on openSUSE, this is written as /boot/efi/EFI/Linux/linux- 6.10.5-1-default-69b6602716a8442d94a79481993e2ded.efi, I verified that it works by copying it to /boot/efi/EFI/BOOT/bootaa64.efi. I've also signed it now following the instructions on https://github.com/u-boot/u-boot/blob/master/doc/develop/uefi/uefi.rst So it produced a signed file (/boot/efi/EFI/Linux/linux-6.10.5-1- default-69b6602716a8442d94a79481993e2ded.efi.signed). So the next step is to restrict booting to this signed efi file. But I'm still not sure how to configure U-Boot to only accept to boot EFI files with my certificate. I don't see anywhere to configure that in 'make menuconfig', of course, if I copy the files to the UEFI partition, someone could just replace the .auth files. Do I need to use FIT image like described on https://trac.gateworks.com/wiki/secure_boot ? In that case how do I configure the .its file to include the efi file and the certificate instead of the kernel, ramdisk and fdt files described in the wiki? Jonas
