Hi Jonas on mobile and on vacation, I'll respond in a week or so. In the meantime https://www.linaro.org/blog/uefi-secureboot-in-u-boot/ this might help.
In sort you have to include the efi keys in the uboot binary. Cheers Ilias On Wed, Aug 21, 2024, 20:35 Jonas Kvinge <jona...@opensuse.org> wrote: > On Tue, 2024-08-20 at 16:29 +0200, Caleb Connolly wrote: > > Hi Jonas, > > > > > > I don't know the details of how this is implemented, but the way to > > solve this is by doing EFI secureboot in U-Boot. The trick is to > > embed > > the securebook public key hash into U-Boot, there it will be > > validated > > by the bootrom stage and can be trusted to validate the signed kernel > > EFI. > > > > The kernel would then need to be booted as a "UKI" (refer to the uapi > > group uki docs), this embeds the kernel, ramdisk, and DTB into a > > single > > EFI image which can be signed and verified. > > > > Hopefully this points you in the right direction. > > > > Thanks, this got me a bit further, I have managed to produce a UKI > using dracut on openSUSE, this is written as /boot/efi/EFI/Linux/linux- > 6.10.5-1-default-69b6602716a8442d94a79481993e2ded.efi, > I verified that it works by copying it to > /boot/efi/EFI/BOOT/bootaa64.efi. > I've also signed it now following the instructions on > https://github.com/u-boot/u-boot/blob/master/doc/develop/uefi/uefi.rst > So it produced a signed file (/boot/efi/EFI/Linux/linux-6.10.5-1- > default-69b6602716a8442d94a79481993e2ded.efi.signed). > So the next step is to restrict booting to this signed efi file. > But I'm still not sure how to configure U-Boot to only accept to boot > EFI files with my certificate. > I don't see anywhere to configure that in 'make menuconfig', of course, > if I copy the files to the UEFI partition, someone could just replace > the .auth files. > Do I need to use FIT image like described on > https://trac.gateworks.com/wiki/secure_boot ? > In that case how do I configure the .its file to include the efi file > and the certificate instead of the kernel, ramdisk and fdt files > described in the wiki? > > Jonas > >
