systemd update from 256 to 257 broke kernel secureboot signatures inside signed UKI files with u-boot based UEFI firmware, e.g. meta-arm and qemuarm64-secureboot machine config and secureboot:
$ cd meta-arm $ kas build ci/poky.yml:ci/qemuarm64-secureboot.yml:ci/uefi-secureboot.yml:ci/testimage.yml systemd-boot itself is secureboot signed and verified by firmware. Same for the UKI file which combines kernel, initramfs etc. Then kernel from UKI is additionally executed using UEFI firmware calls which check signatures so the kernel binary inside signed UKI needs to be signed with same keys too. PE file padding added to systemd ukify in 257 release broke kernel signature validation for u-boot and sbsign/sbverify tools. EDK2 based firmware like OVMF may not be affected because systemd-boot is able to disable signature checking after a signed UKI has been loaded. This feature is not supported by u-boot. Upstream systemd bug report: https://github.com/systemd/systemd/issues/35851 This patch proposed to upstream in: https://github.com/systemd/systemd/pull/36225 systemd upstream may not like this revert and would prefer alternative, possibly more intrusive changes instead, e.g. to UEFI firmware implementations, sbsign/sbverify tooling or systemd-boot, but this ukify revert is simpler for us systemd users for now. Cc: Jon Mason <[email protected]> Cc: [email protected] Signed-off-by: Mikko Rapeli <[email protected]> --- .../systemd/systemd-boot-native_257.1.bb | 3 ++ ...y.py-disable-virtual-size-for-kernel.patch | 39 +++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch diff --git a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb index 5b4b63c294..22ac5c96cc 100644 --- a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb +++ b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb @@ -1,4 +1,7 @@ require systemd.inc +FILESEXTRAPATHS =. "${FILE_DIRNAME}/systemd:" + +SRC_URI += "file://0001-ukify.py-disable-virtual-size-for-kernel.patch" inherit native diff --git a/meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch b/meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch new file mode 100644 index 0000000000..ddf53f01c7 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-ukify.py-disable-virtual-size-for-kernel.patch @@ -0,0 +1,39 @@ +From cb869363ed84bcdd84c44781bc7f74ac027f9a9e Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli <[email protected]> +Date: Thu, 30 Jan 2025 11:33:38 +0000 +Subject: [PATCH] ukify.py: disable virtual size for kernel + +Adding padding to kernel breaks secure boot signature +for u-boot based UEFI firmware and sbverify tooling. + +Workaround for https://github.com/systemd/systemd/issues/35851 + +Signed-off-by: Mikko Rapeli <[email protected]> +--- + src/ukify/ukify.py | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +Upstream-Status: Submitted [https://github.com/systemd/systemd/pull/36225] + +diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py +index 5f821297c1..08ba800b44 100755 +--- a/src/ukify/ukify.py ++++ b/src/ukify/ukify.py +@@ -1238,12 +1238,8 @@ def make_uki(opts: UkifyConfig) -> None: + uki.add_section(section) + + if linux is not None: +- try: +- virtual_size = pefile.PE(linux, fast_load=True).OPTIONAL_HEADER.SizeOfImage +- except pefile.PEFormatError: +- print(f'{linux} is not a valid PE file, not using SizeOfImage.') +- virtual_size = None +- ++ # Padding breaks signature for kernel https://github.com/systemd/systemd/issues/35851 ++ virtual_size = None + uki.add_section(Section.create('.linux', linux, measure=True, virtual_size=virtual_size)) + + # Don't add a sbat section to profile PE binaries. +-- +2.43.0 + -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#210451): https://lists.openembedded.org/g/openembedded-core/message/210451 Mute This Topic: https://lists.openembedded.org/mt/110899051/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
