secureboot: enroll kernel hash in db for EFISTUB

Generate hash for second stage bootloader and enroll in db efivar to allow the firmware to verify the image for booting when using EFISTUB. This is necessary to update to GRUB 2.12, which passes the EFI image to the EFI boot services LoadImage method, which then validates the image when secure boot is enabled. Change-type: patch Signed-off-by: Joseph Kogut <joseph@balena.io>
balena-os · Mar 20, 2024 · 45fe30f · 45fe30f
1 parent b551e7d
commit 45fe30f
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 10 deletions.
diff --git a/meta-balena-common/recipes-support/balena-keys/balena-db-hashes.bb b/meta-balena-common/recipes-support/balena-keys/balena-db-hashes.bb
@@ -16,7 +16,16 @@ do_get_db() {
     fi
     mkdir -p "${DEST_DIR}"
 
-    hash-to-efi-sig-list "${DEPLOY_DIR_IMAGE}"/grub-efi-boot*.efi.secureboot "${DEST_DIR}/db.esl"
+    hash-to-efi-sig-list \
+        "${DEPLOY_DIR_IMAGE}"/grub-efi-boot*.efi.secureboot \
+        "${DEST_DIR}/db-loader.esl"
+
+    hash-to-efi-sig-list \
+        "${DEPLOY_DIR_IMAGE}/bzImage.initramfs" \
+        "${DEST_DIR}/db-kernel.esl"
+
+    cat "${DEST_DIR}/db-loader.esl" "${DEST_DIR}/db-kernel.esl" \
+        > "${DEST_DIR}/db.esl"
 
     FIRST_KEK=$(echo "${SIGN_EFI_KEK_KEY_ID}" | cut -d, -f1)
 
@@ -50,6 +59,7 @@ do_get_db[depends] += " \
     gnupg-native:do_populate_sysroot \
     efitools-native:do_populate_sysroot \
     grub-efi:do_deploy \
+    virtual/kernel:do_deploy \
     "
 
 do_deploy() {

diff --git a/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-efi b/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-efi
@@ -49,24 +49,30 @@ secureboot_setup() {
             if [ "${SETUPMODE_VAR}" -eq "1" ]; then
                 info "Secure boot setup mode detected - programming keys"
                 # Enroll PK last, as it should disable setup mode
-                for e in db KEK PK; do
-                    # Remove immutable attribute
-                    chattr -i ${EFIVARS_MOUNTDIR}/${e}* > /dev/null || true
-
+                for e in db-loader db-kernel KEK PK; do
+                    var="$(echo "${e}" | cut -d- -f1)"
                     # Use the .esl format for db. This only works in setup mode and above we have confirmed
                     # it is enabled. The .auth files are signed for appending during updates
                     # and while most UEFI implementations don't care, some of them will only allow
                     # to actually append. Here we want to replace the existing keys by ours.
                     FORMAT="auth"
                     EXTRA_ARGS=""
-                    if [ "${e}" = "db" ]; then
-                        FORMAT="esl"
-                        EXTRA_ARGS="-e"
-                    fi
+                    case "${e}" in
+                        db-loader)
+                            FORMAT="esl"
+                            EXTRA_ARGS="-e"
+                            ;;
+                        db-kernel)
+                            FORMAT="esl"
+                            EXTRA_ARGS="-a -e"
+                            ;;
+                    esac
 
                     KEY_FILE="${EXTERNAL_DEVICE_BOOT_PART_MOUNTPOINT}/balena-keys/${e}.${FORMAT}"
                     if [ -f "${KEY_FILE}" ]; then
-                        /usr/bin/efi-updatevar ${EXTRA_ARGS} -f "${KEY_FILE}" "${e}"
+                        # Remove immutable attribute
+                        chattr -i ${EFIVARS_MOUNTDIR}/${var}* > /dev/null || true
+                        /usr/bin/efi-updatevar ${EXTRA_ARGS} -f "${KEY_FILE}" "${var}"
                     fi
                 done
                 return 0