Linaro UEFI Secure Boot and DRI
Linaro UEFI Secure Boot and DRI
Kalyan Kumar N
Agenda
● Introduction
● RootFS Validation
● Build Environment
● RDK BootLoader selects the valid Platform Code Image (PCI) from the
Device non-volatile memory to load and execute.
● LoadImage protocol of UEFI Boot service is used to load the kernel image
from boot partition.
● Key which validates Rootfs can be placed in Boot partition and will registred
to UEFI variable and exported to Linux kernel.
● Downloads PCI image file via Ethernet ( USB to Ethernet interface) and store
image into flash memory.
● Kernel will bootup with temporary initramfs and will validates signed
rootfs image and mount the same.
Yocto build command for creating initramfs:
INITRAMFS_IMAGE = "core-image-minimal-initramfs"
INITRAMFS_FSTYPES = "cpio"
● Kernel provides EFIVAR file system, which enables accessing UEFI variables
from kernel.
● Sign RootFS using openssl and generate sha256 hash file which will be part of
monolithic image to verify the signature.
Ex: openssl dgst -sha256 -sign "Key.key" -out rootfs.sha256 rootfs.tar.bz2
● Once secure Linux kernel bootup with initramfs, it validate rootfs ,untar and
mount the rootfs.
https://github.com/linaro-home/RdkPkg.git
#SFO17
SFO17 keynotes and videos on: connect.linaro.org
For further information: www.linaro.org