mirror of
https://github.com/torvalds/linux.git
synced 2026-05-03 05:52:38 -04:00
a050910972
Implement a minimal EFI app that decompresses the real kernel image and launches it using the firmware's LoadImage and StartImage boot services. This removes the need for any arch-specific hacks. Note that on systems that have UEFI secure boot policies enabled, LoadImage/StartImage require images to be signed, or their hashes known a priori, in order to be permitted to boot. There are various possible strategies to work around this requirement, but they all rely either on overriding internal PI/DXE protocols (which are not part of the EFI spec) or omitting the firmware provided LoadImage() and StartImage() boot services, which is also undesirable, given that they encapsulate platform specific policies related to secure boot and measured boot, but also related to memory permissions (whether or not and which types of heap allocations have both write and execute permissions.) The only generic and truly portable way around this is to simply sign both the inner and the outer image with the same key/cert pair, so this is what is implemented here. Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
71 lines
2.5 KiB
Makefile
71 lines
2.5 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
|
|
# to be include'd by arch/$(ARCH)/boot/Makefile after setting
|
|
# EFI_ZBOOT_PAYLOAD, EFI_ZBOOT_BFD_TARGET and EFI_ZBOOT_MACH_TYPE
|
|
|
|
comp-type-$(CONFIG_KERNEL_GZIP) := gzip
|
|
comp-type-$(CONFIG_KERNEL_LZ4) := lz4
|
|
comp-type-$(CONFIG_KERNEL_LZMA) := lzma
|
|
comp-type-$(CONFIG_KERNEL_LZO) := lzo
|
|
comp-type-$(CONFIG_KERNEL_XZ) := xzkern
|
|
comp-type-$(CONFIG_KERNEL_ZSTD) := zstd22
|
|
|
|
# in GZIP, the appended le32 carrying the uncompressed size is part of the
|
|
# format, but in other cases, we just append it at the end for convenience,
|
|
# causing the original tools to complain when checking image integrity.
|
|
# So disregard it when calculating the payload size in the zimage header.
|
|
zboot-method-y := $(comp-type-y)_with_size
|
|
zboot-size-len-y := 4
|
|
|
|
zboot-method-$(CONFIG_KERNEL_GZIP) := gzip
|
|
zboot-size-len-$(CONFIG_KERNEL_GZIP) := 0
|
|
|
|
quiet_cmd_sbsign = SBSIGN $@
|
|
cmd_sbsign = sbsign --out $@ $< \
|
|
--key $(CONFIG_EFI_ZBOOT_SIGNING_KEY) \
|
|
--cert $(CONFIG_EFI_ZBOOT_SIGNING_CERT)
|
|
|
|
$(obj)/$(EFI_ZBOOT_PAYLOAD).signed: $(obj)/$(EFI_ZBOOT_PAYLOAD) FORCE
|
|
$(call if_changed,sbsign)
|
|
|
|
ZBOOT_PAYLOAD-y := $(EFI_ZBOOT_PAYLOAD)
|
|
ZBOOT_PAYLOAD-$(CONFIG_EFI_ZBOOT_SIGNED) := $(EFI_ZBOOT_PAYLOAD).signed
|
|
|
|
$(obj)/vmlinuz: $(obj)/$(ZBOOT_PAYLOAD-y) FORCE
|
|
$(call if_changed,$(zboot-method-y))
|
|
|
|
OBJCOPYFLAGS_vmlinuz.o := -I binary -O $(EFI_ZBOOT_BFD_TARGET) \
|
|
--rename-section .data=.gzdata,load,alloc,readonly,contents
|
|
$(obj)/vmlinuz.o: $(obj)/vmlinuz FORCE
|
|
$(call if_changed,objcopy)
|
|
|
|
AFLAGS_zboot-header.o += -DMACHINE_TYPE=IMAGE_FILE_MACHINE_$(EFI_ZBOOT_MACH_TYPE) \
|
|
-DZBOOT_EFI_PATH="\"$(realpath $(obj)/vmlinuz.efi.elf)\"" \
|
|
-DZBOOT_SIZE_LEN=$(zboot-size-len-y) \
|
|
-DCOMP_TYPE="\"$(comp-type-y)\""
|
|
|
|
$(obj)/zboot-header.o: $(srctree)/drivers/firmware/efi/libstub/zboot-header.S FORCE
|
|
$(call if_changed_rule,as_o_S)
|
|
|
|
ZBOOT_DEPS := $(obj)/zboot-header.o $(objtree)/drivers/firmware/efi/libstub/lib.a
|
|
|
|
LDFLAGS_vmlinuz.efi.elf := -T $(srctree)/drivers/firmware/efi/libstub/zboot.lds
|
|
$(obj)/vmlinuz.efi.elf: $(obj)/vmlinuz.o $(ZBOOT_DEPS) FORCE
|
|
$(call if_changed,ld)
|
|
|
|
ZBOOT_EFI-y := vmlinuz.efi
|
|
ZBOOT_EFI-$(CONFIG_EFI_ZBOOT_SIGNED) := vmlinuz.efi.unsigned
|
|
|
|
OBJCOPYFLAGS_$(ZBOOT_EFI-y) := -O binary
|
|
$(obj)/$(ZBOOT_EFI-y): $(obj)/vmlinuz.efi.elf FORCE
|
|
$(call if_changed,objcopy)
|
|
|
|
targets += zboot-header.o vmlinuz vmlinuz.o vmlinuz.efi.elf vmlinuz.efi
|
|
|
|
ifneq ($(CONFIG_EFI_ZBOOT_SIGNED),)
|
|
$(obj)/vmlinuz.efi: $(obj)/vmlinuz.efi.unsigned FORCE
|
|
$(call if_changed,sbsign)
|
|
endif
|
|
|
|
targets += $(EFI_ZBOOT_PAYLOAD).signed vmlinuz.efi.unsigned
|