UKI secure boot regression after systemd update from 256 to 257.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

We're cross compiling and booting into u-boot based UEFI secure boot firmware
which should load a UKI with kernel and initramfs to find the real rootfs.

This has been working for months now with systemd 256 but is now broken with
257.1.

UKI is generated in the cross compile environment with:

ukify build --efi-arch aa64 --stub /home/builder/src/base/repo/meta-arm/build/tmp/deploy/images/qemuarm64-secureboot/linuxaa64.efi.stub --initrd=/home/builder/src/base/repo/meta-arm/build/tmp/deploy/images/qemuarm64-secureboot/core-image-initramfs-boot-qemuarm64-secureboot.cpio.gz --linux=/home/builder/src/base/repo/meta-arm/build/tmp/deploy/images/qemuarm64-secureboot/Image --cmdline='rootwait root=LABEL=root console=ttyAMA0,115200' --tools=/home/builder/src/base/repo/meta-arm/build/tmp/work/qemuarm64_secureboot-poky-linux/core-image-base/1.0/recipe-sysroot-native/usr/lib/systemd/tools --os-release=@/home/builder/src/base/repo/meta-arm/build/tmp/work/qemuarm64_secureboot-poky-linux/core-image-base/1.0/recipe-sysroot/usr/lib/os-release --sign-kernel --secureboot-private-key='/home/builder/src/base/repo/meta-arm/build/sbkeys/db.key' --secureboot-certificate='/home/builder/src/base/repo/meta-arm/build/sbkeys/db.crt'  --output=/home/builder/src/base/repo/meta-arm/build/tmp/deploy/images/qemuarm64-secureboot/uki.efi

This is now failing to boot in qemu with systemd-boot/systemd 257.1 (u-boot 2025.01 if that matters):

NOTICE:  Booting Trusted Firmware
NOTICE:  BL1: v2.12.0(release):v2.12.0-dirty
NOTICE:  BL1: Built : 22:30:24, Nov 20 2024
NOTICE:  BL1: Booting BL2
NOTICE:  BL2: v2.12.0(release):v2.12.0-dirty
NOTICE:  BL2: Built : 22:30:24, Nov 20 2024
NOTICE:  BL1: Booting BL31
NOTICE:  BL31: v2.12.0(release):v2.12.0-dirty
NOTICE:  BL31: Built : 22:30:24, Nov 20 2024


U-Boot 2025.01 (Jan 07 2025 - 00:54:44 +0000)

DRAM:  1 GiB
Core:  51 devices, 14 uclasses, devicetree: board
Flash: 32 MiB
Loading Environment from Flash... *** Warning - bad CRC, using default environment

In:    serial,usbkbd
Out:   serial,vidconsole
Err:   serial,vidconsole
Bus xhci_pci: Register 8001040 NbrPorts 8
Starting the controller
USB XHCI 1.00
scanning bus xhci_pci for devices... 3 USB Device(s) found
Net:   eth0: virtio-net#32
ESC[?25h
Hit any key to stop autoboot:  0 
ESC7ESC[rESC[999;999HESC[6nESC8Cannot persist EFI variables without system partition
Missing TPMv2 device for EFI_TCG_PROTOCOL
ESC[?25lESC[2JESC[1;1HESC[1;1HESC[2KESC[2;3H*** U-Boot Boot Menu ***ESC[0KESC[3;1HESC[2KESC[9;1HESC[2KESC[10;3HPress UP/DOWN to move, ENTER to select, ESC to quitESC[0KESC[11;1HESC[2KESC[4;7HESC[7mUEFI Boot ManagerESC[0mESC[5;7HUEFI Maintenance MenuESC[6;7Hvirtio 0ESC[7;7HExitESC[9;3HHit any key to stop autoboot: 2 ESC[9;3HHit any key to stop autoboot: 1 ESC[9;1HESC[2KESC[?25hESC[2JESC[1;1HBooting: virtio 0
ESC[?25l ESC[0;37;40mESC[2JESC[1;1HESC[13;12HESC[0;30;47m   Poky (Yocto Project Reference Distro) 5.1 (styhead)   ESC[15;1HESC[0;37;40m                                  Boot in 5 s.                                 ESC[14;9HESC[0;37;40m───────────────────────────────────────────────────────────────ESC[15;1HESC[0;37;40m                                  Boot in 4 s.                                 ESC[14;9HESC[0;37;40m───────────────────────────────────────────────────────────────ESC[15;1HESC[0;37;40m                                  Boot in 3 s.                                 ESESC[14;9HESC[0;37;40m───────────────────────────────────────────────────────────────ESC[15;1HESC[0;37;40m                                  Boot in
 2 s.                                 ESC[14;9HESC[0;37;40m───────────────────────────────────────────────────────────────ESC[15;1HESC[0;37;40m   
                               Boot in 1 s.                                 ESC[14;9HESC[0;37;40m─────────────────────────────────────────────────
──────────────ESC[0;37;40mESC[2JESC[1;1HImage not authenticated
ESC[1;31;40m/usr/src/debug/systemd-boot/257.1/src/boot/linux.c:125@linux_exec: Error loading kernel image: Security violation
ESC[0;37;40mESC[1;31;40m/usr/src/debug/systemd-boot/257.1/src/boot/boot.c:2640@image_start: Failed to execute Poky (Yocto Project Reference Distro) 5.1 (styhead) (\EFI\Linux\uki.efi): Security violation
ESC[0;37;40m## Application failed, r = 26
=> 

So what could be causing this and how to fix the boot?

meta-arm maintainer Jon Mason had bisected this to commit:

https://github.com/systemd/systemd/commit/2188c759f97e40b97ebe3e94e82239f36b525b10

Cheers,

-Mikko
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux