diff options
author | Leo Yan <leo.yan@linaro.org> | 2022-12-31 15:39:42 +0800 |
---|---|---|
committer | Ilias Apalodimas <ilias.apalodimas@linaro.org> | 2023-01-12 07:47:30 +0000 |
commit | 47ac14fb0503c9fdffdbfe8e668a6ee75b858289 (patch) | |
tree | 78af3ba01476f90f2b527b9b4319955e652c960b | |
parent | 36641ab6e9dfca1a76551bb7d31382d50d73735a (diff) |
grub: Build grub and generate EFI binary
Based on the recipes in poky/meta/recipes-bsp/grub, we append the
building operations.
1) This patch changes to pull the code from git server, this can allow
us to build GRUB with the new code base.
2) We use command grub-mkstandalone to generate EFI binary and the EFI
binary can be used by U-boot EFI. And it uses UEFI certificates to
sign EFI binary.
3) This patch introduces two GRUB configuration files: grub-initial.cfg
file is built into EFI binary, its purpose is to set the root
partition and then we use it to load the grub.cfg file, finally we
rely on grub.cfg to load Linux kernel and ramdisk and boot up system.
Signed-off-by: Leo Yan <leo.yan@linaro.org>
7 files changed, 154 insertions, 0 deletions
diff --git a/meta-ledge-secure/recipes-bsp/grub/files/0001-verifiers-Don-t-return-error-for-deferred-image.patch b/meta-ledge-secure/recipes-bsp/grub/files/0001-verifiers-Don-t-return-error-for-deferred-image.patch new file mode 100644 index 0000000..e55128d --- /dev/null +++ b/meta-ledge-secure/recipes-bsp/grub/files/0001-verifiers-Don-t-return-error-for-deferred-image.patch @@ -0,0 +1,48 @@ +From 70fe34e1e61e0560af8a2018c5486b07b217f7fc Mon Sep 17 00:00:00 2001 +From: Leo Yan <leo.yan@linaro.org> +Date: Thu, 22 Dec 2022 15:28:12 +0800 +Subject: [PATCH] verifiers: Don't return error for deferred image + +When boot from menu and the flag GRUB_VERIFY_FLAGS_DEFER_AUTH is set, +grub returns error: + + Booting a command list + + error: verification requested but nobody cares: (hd0,gpt1)/Image. + + Press any key to continue... + +In this case, the image should be deferred for authentication, grub +should return the file handle and pass down to later firmware (e.g. +U-Boot, etc) for authentication. + +For this purpose, rather than returning error, this patch prints log +and returns file handler. + +Upstream-Status: Submitted + +Signed-off-by: Leo Yan <leo.yan@linaro.org> +--- + grub-core/kern/verifiers.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c +index 75d7994cf..ada753e69 100644 +--- a/grub-core/kern/verifiers.c ++++ b/grub-core/kern/verifiers.c +@@ -115,11 +115,7 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type) + if (!ver) + { + if (defer) +- { +- grub_error (GRUB_ERR_ACCESS_DENIED, +- N_("verification requested but nobody cares: %s"), io->name); +- goto fail_noclose; +- } ++ grub_printf("%s verification is deferred\n", io->name); + + /* No verifiers wanted to verify. Just return underlying file. */ + return io; +-- +2.35.1 + diff --git a/meta-ledge-secure/recipes-bsp/grub/files/grub-initial.cfg b/meta-ledge-secure/recipes-bsp/grub/files/grub-initial.cfg new file mode 100644 index 0000000..3cb838f --- /dev/null +++ b/meta-ledge-secure/recipes-bsp/grub/files/grub-initial.cfg @@ -0,0 +1,8 @@ +# First partition on first disk, most likely EFI system partition. Set it here +# as fallback in case the search doesn't find the given UUID. +set root='hd0,gpt1' +search --no-floppy --fs-uuid --set=root 7819-74F8 + +configfile /grub.cfg + +# If fail to load config file, it runs into GRUB shell. diff --git a/meta-ledge-secure/recipes-bsp/grub/files/grub.cfg b/meta-ledge-secure/recipes-bsp/grub/files/grub.cfg new file mode 100644 index 0000000..2eaed98 --- /dev/null +++ b/meta-ledge-secure/recipes-bsp/grub/files/grub.cfg @@ -0,0 +1,14 @@ +set term="vt100" +set default="0" +set timeout="5" + +kernel_cmdline="rootwait rw" + +rootpart_uuid="6091b3a4-ce08-3020-93a6-f755a22ef03b" + +menuentry 'TRS' { + echo 'Loading Linux ...' + linux /Image $kernel_cmdline root=UUID=$rootpart_uuid + echo 'Loading initial ramdisk ...' + initrd /ledge-initramfs.rootfs.cpio.gz +} diff --git a/meta-ledge-secure/recipes-bsp/grub/files/uefi-certificates b/meta-ledge-secure/recipes-bsp/grub/files/uefi-certificates new file mode 120000 index 0000000..d0eba10 --- /dev/null +++ b/meta-ledge-secure/recipes-bsp/grub/files/uefi-certificates @@ -0,0 +1 @@ +../../../recipes-kernel/linux/files/uefi-certificates/
\ No newline at end of file diff --git a/meta-ledge-secure/recipes-bsp/grub/grub-bootconf_%.bbappend b/meta-ledge-secure/recipes-bsp/grub/grub-bootconf_%.bbappend new file mode 100644 index 0000000..a7a0a7c --- /dev/null +++ b/meta-ledge-secure/recipes-bsp/grub/grub-bootconf_%.bbappend @@ -0,0 +1,19 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +SRC_URI += "file://grub.cfg" + +do_configure() { +} + +do_install() { + install -d ${D}${EFI_FILES_PATH} + install grub.cfg ${D}${EFI_FILES_PATH}/grub.cfg +} + +inherit deploy + +do_deploy() { + install -m 644 ${D}${EFI_FILES_PATH}/grub.cfg ${DEPLOYDIR} +} + +addtask deploy before do_package after do_install diff --git a/meta-ledge-secure/recipes-bsp/grub/grub-efi_%.bbappend b/meta-ledge-secure/recipes-bsp/grub/grub-efi_%.bbappend new file mode 100644 index 0000000..5615dec --- /dev/null +++ b/meta-ledge-secure/recipes-bsp/grub/grub-efi_%.bbappend @@ -0,0 +1,42 @@ +DEPENDS:append = " e2fsprogs-native efitools-native coreutils-native " + +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +SRC_URI += "file://grub-initial.cfg \ + file://grub.cfg \ + file://0001-verifiers-Don-t-return-error-for-deferred-image.patch" + +SRC_URI += "file://uefi-certificates/db.key" +SRC_URI += "file://uefi-certificates/db.crt" + +GRUB_BUILDIN = "part_gpt fat ext2 configfile pgp gcry_sha512 gcry_rsa \ + password_pbkdf2 echo normal linux all_video \ + search search_fs_uuid reboot sleep" + +do_mkimage() { + cd ${B} + + grub-mkstandalone --disable-shim-lock \ + --format=arm64-efi \ + --locale-directory=/usr/share/locale/ \ + --directory=./grub-core/ \ + --modules="${GRUB_BUILDIN}" \ + --output=./${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} \ + "boot/grub/grub.cfg=${WORKDIR}/grub-initial.cfg" + + ${STAGING_BINDIR_NATIVE}/sbsign \ + --key ${WORKDIR}/uefi-certificates/db.key \ + --cert ${WORKDIR}/uefi-certificates/db.crt \ + ${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} \ + --output ${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}.signed + cp ${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}.signed ${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} +} + +do_install() { + install -d ${D}${EFI_FILES_PATH} + install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} ${D}${EFI_FILES_PATH}/${GRUB_IMAGE} +} + +do_deploy() { + install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} ${DEPLOYDIR} +} diff --git a/meta-ledge-secure/recipes-bsp/grub/grub_%.bbappend b/meta-ledge-secure/recipes-bsp/grub/grub_%.bbappend new file mode 100644 index 0000000..2b8ce8d --- /dev/null +++ b/meta-ledge-secure/recipes-bsp/grub/grub_%.bbappend @@ -0,0 +1,22 @@ +# Overwrite poky side SRC_URI to remove all security etc patches +# since we update to a newer version anyway and the patches don't apply +SRC_URI = "git://git.savannah.gnu.org/git/grub.git;protocol=https;branch=master" + +SRCREV = "7259d55ffcf124e32eafb61aa381f9856e98a708" +PV = "2.06+git${SRCPV}" +S = "${WORKDIR}/git" + +SRC_URI[sha256sum] = "a52e73e42dabbda0f9032ef30a5afae00e80abb745cc5c356e3b56fda0048e1d" + +do_configure[depends] += "gnulib-native:do_populate_sysroot \ + ${MLPREFIX}gnulib:do_populate_sysroot" + +do_configure:prepend() { + cd ${S} + + rm -rf ${S}/gnulib + cp -rf ${STAGING_DATADIR}/gnulib ${S}/gnulib + + ./bootstrap --gnulib-srcdir=./gnulib + cd - +} |