Hi Tommy,
On Wed, Jun 07, 2017 at 06:39:25PM +0000, Tommy Huynh wrote:
Hi Leif/Ard,
Currently, what security properties does secure boot in edk2 on arm guarantee?
There is nothing ARM-specific about UEFI Secure Boot. Whatever is platform dependent is ... platform specific.
How should one enable secure boot on the ARM Juno platform?
Normally, all you would be expected to need is to build with -D SECURE_BOOT_ENABLE=TRUE
I've tried copying sections related to "SECURE_BOOT_ENABLE" from OpenPlatformPkg/Platforms/ARM/VExpress/* into corresponding files in OpenPlatformPkg/Platforms/ARM/Juno/ and setting SECURE_BOOT_ENABLE = True.
Oh, you shouldn't need to copy anything across. (If you do, we've messed up, and a bug report to edk2-devel@lists.01.org would be appreciated.)
It seems you've tripped over the case sensitivity ... It's supposed to be SECURE_BOOT_ENABLE=TRUE.
So, the only semi-tricky bit is you need to import OpenSSL in order to get the included cruptography support.
Your email prompted me to have a look at my helper scripts (https://git.linaro.org/uefi/uefi-tools.git) and it seems the integration has once again been revamped, so my scripts were no longer working. But I updated them and uefi-build.sh now tries to automatically import the latest version in the most convoluted way possible (I'd recommend against reading it).
Although, as Ard pointed out to me, you can these days also manually download the latest version from https://www.openssl.org/source/, extract it into CryptoPkg/Library/OpensslLib/ and rename the directory 'openssl' (without the version number), and that should "just work".
After rebuilding edk2 and arm-tf for Juno, I did a sanity test to check if the kernel image is verified during boot. I didn't sign the kernel image or provide any certificate, etc. so I expect the boot process to fail at kernel verification. However, the boot process continue until the Linux shell prompt. What did I miss here?
I also came across this doc which includes some instructions on secure boot: https://github.com/tianocore/tianocore.github.io/wiki/How-to-Enable-Security Could you elaborate on how the DATA block (which include VARIABLE_STORE_HEADER) is created?
I'll leave this bit for Ard.
Regards,
Leif