Custom scripts for UKI and Secure Boot OpenWRT image

For Developers
1

Hi.
Recently I have been messing around with my openwrt build for generic x86-64.
I have figured out that doing this:

  • building the initramfs in .cpio.gz format
  • uncompressing the image and mounting it
  • running this command:
    sudo ukify build \
     --stub /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
     --linux  tmp/boot/vmlinuz \
     --initrd openwrt-x86-64-rootfs.cpio.gz \
     --cmdline cmdline \
     --output bootx64.efi
  • then signing the image with a cert using sbsign
  • finally deleting everything off of /kernel partition and replacing it with the single signed UKI image

I can then effectively use OpenWRT with Secure Boot still on in the firmware.
I wanted to have Secure Boot with OpenWRT - adding a shim proved to be troublesome,
so I went the UKI route.

I was wondering what the best approach for upstreaming this to OpenWRT official repo would be - is adding a bash script (for example scripts/ukify-and-sign.sh) a reasonable option?

Or should this functionality rather be in the form of a package?

I would appreciate some guidance. I would like to make this a contribution to OpenWRT repo, but I'm not yet sure what exact form it should take.

2 Likes
2

Hi

That would be a part of it.

The package would only be necessary if You'd like to manipulate/create signed images on target, which I don't think is what You want. The utilities You mentioned should be part of tools which are needed on host for image creation. From there the can be called by scripts/ukify-and-sign.sh.

Apart from it, the selection of the signing needs a bit of glue for OpenWrt build system, so user can request the signing when needed. I think best option would be creating new sub-option in Target Images -> ramdisk (since that's what You are targeting/using). That sub-option should have at least two options for selecting key and certificate used for signing:

  1. Sign with key and certificate from particular path.
  2. Sign with new key (which will automatically create certificate chain and key, which user can upload to their machine).

The menuconfig options can be specified in config/Config-images.in, while other places You might be interested in on Your journey are include/image.mk and include/image-commands.mk and target/linux/x86/image/Makefile.
As side note, some users of armsr target might be interested in signed images, so generic approach would be best.

That's my take on it, which doesn't reflect what others might have in mind.

1 Like