Add support for Secure Boot

[johntoomey]

@toganlabs to find out what hardware we need to implement this for and confirm that it is UEFI secure boot that is being requested

[johntoomey]

• https://github.com/opencomputeproject/onie/blob/master/machine/kvm_x86_64/README.secureboot
• https://ubs_csse.gitlab.io/secu_os/tutorials/linux_secure_boot.html
• https://github.com/jiazhang0/meta-secure-core/tree/master/meta-efi-secure-boot

[johntoomey]

Confirmed that the APS BF6064 (100G) supports UEFI Secure Boot in the BIOS

[johntoomey]

As of friday we have ONIE booting on a 2556 in secure boot mode - APS are going to get the BIOS update that enables this functionality available for general release. Next week ill start the process of building mion with secure boot support using meta-secure-core.

[johntoomey]

The linked pull request contains a partial implementation of the UEFI secure boot. A new INSTALL_TYPE build option can be set to "initramfs" which builds and installs the root filesystem (cpio.gz) and kernel (bzImage) as individual files rather than a than a "standard" install where the root filesystem (containing the kernel) is installed directly on the system. This initramfs option can be used independent of secure boot but is limited by the size of the system RAM and causes the system to loose all changes on reboot. A number or new SECUREBOOT* parameters can be set in the mion image configs or in the local.conf which cause the kernel to be signed using sbsign before it is installed on the system.

Limitations of this code and further development:

• the root filesystem is not signed and its not clear how ONIE expects this to be achieved from the reading of the code and documentation - we might need to contact the ONIE mailing list to get some direction on this - it might be possible to use INITRAMFS_IMAGE_BUNDLE to bundle the initramfs and kernel together so that they could be signed as one (not sure if this would work)
• ONIE also supports a signed installer but the documentation is sparse and speaks of an example implementation which does not seem to exist anywhere - as above, might need to contact onie
• due to the way the cpio.gz filesystem is constructed, it contains another version of the kernel in /boot which takes up extra space and is confusing - this really should be fixed if this "initramfs" mode is to be used

[johntoomey]

http://mirror.opencompute.org/onie/docs/ONIESecureBootv2.pdf