Mender and efi-secure-boot on intel-corei7-64

Hi @TheYoctoJester et al:

I thought I should post an update after some weeks of working through this problem.

After talking with Josef we came to the conclusion that since the devices in question are using USB updates rather than OTA, the need for A/B rollback isn’t strictly necessary. After all, a human will be present to initiate & monitor the updates via USB and can take necessary actions upon update failure.

The approach we’re taking now is to first enable UEFI Secure Boot using meta-secure-core/meta-efi-secure-boot and adding some tweaks to the Mender grub.cfg fragments that end up composing the /boot/efi/EFI/BOOT/grub.cfg file. That’s working now!

The Secure Boot configuration portion in our .conf file looks like this:

# Add Secure Boot EFI and TPM2 tools
MACHINE_FEATURES_append = " tpm2"
DISTRO_FEATURES_append = " security tpm2 efi-secure-boot "
IMAGE_INSTALL_append = " tpm2-tools libtss2-tcti-device efitools seloader "

# disable Machine Owner Keys (MOK) secure boot
MOK_SB = ""

SIGNING_MODEL := "user"

# set secureboot key directory for this configuration
UEFI_SB_KEYS_DIR := "${SECUREBOOT_KEY_DIR}/${MACHINE}"

That got us a signed grub (bootx64.efi), grub.cfg, and SELoader EFI binary. However, there were still a couple of issues. First, bzImage and bzImage.p7b (the detached signature) need to be installed to the boot partition (mounted under /boot/efi on the running system). That was a straight forward addition to .conf:

IMAGE_BOOT_FILES_append = " \
                            ${KERNEL_IMAGETYPE} \
                            ${KERNEL_IMAGETYPE}${SB_FILE_EXT} \
                          "

We then struggled with Grub being able to work with mok2verify from the SELoader to verify & load bzImage. It turned out that the path that Grub looks for the kernel needs to have the ptable_type and partition number explicitly specified and the 90_mender_boot_grub.cfg fragment isn’t setting ptable_type early enough. Effectively, we force mender_kernel_path="(hd0,gpt1)" and viola we have a verified kernel and the Secure Boot completes and launches the rest of the system.

So that gets us to a working initial build. The next steps for us will involve a) using a mender state script to copy bzImage{.p7b} from the updated $rootfs/boot/ directory onto /boot/efi; and b) committing the update after the copy (or failing the update if something went wrong).

I’ll update this topic again with our progress.

Thanks,
Casey