All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Jan Kiszka" <jan.kiszka@siemens.com>
To: "Q. Gylstorff" <Quirin.Gylstorff@siemens.com>,
	cip-dev@lists.cip-project.org
Subject: Re: [cip-dev][isar-cip-core][PATCH v4 0/6] secureboot with efibootguard
Date: Fri, 21 Aug 2020 17:18:30 +0200	[thread overview]
Message-ID: <5636e8fc-839d-de07-1c17-30fce9efd905@siemens.com> (raw)
In-Reply-To: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com>

[-- Attachment #1: Type: text/plain, Size: 6904 bytes --]

On 21.08.20 11:55, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This patchset adds secureboot with efibootguard to cip-core.
> 
> The image build signs the efibootguard bootloader (bootx64.efi) and generates
> a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
> A unified kernel image packs the kernel, initramfs and the kernel command-line
> in one binary object. As the kernel command-line is immutable after the build
> process, the previous selection of the root file system with a command-line parameter is no longer
> possible. Therefore the selection of the root file-system occurs now in the initramfs.
> 
> The image uses an A/B partition layout to update the root file system. The sample implementation to
> select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs.
> During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs.
> If a match is found the rootfs is used for the boot.
> 
> Changes V2:
> 
>  - rebase to [1]
>  - removed luahandler patch as it now part of [1]
>  - add handling for sw-description
> 
> Changes V3:
> 
>  - rewrite the image id creation to ensure a new uuid is generated if a new package is
>   added or another change of the rootfs
>  - add readme section how to execute/test the software update mechnism
>  - adapt to version v3 of [1]
>  - update the patch
>  - add wks file for efibootguard and swupdate
> 
> [1]: a/b rootfsupdate with software update
> 
> Changes V4:
> 
>  - rebase onto next 619edb509bd287277749580cbc842e57d5044756
>  - fix indent of ./start-qemu.sh
>  - whitespace fixes
>  - update libubootenv patch to v2
>  - update revision of cip-kernel-config to ca24d965adf77730caf1cd32bdfcffd69e369502
>    to boot secureboot with qemu
>  - swupdate swdescription for non-secure-boot images
> 
> Quirin Gylstorff (6):
>   linux-cip: Update revision of kernel config
>   isar-patch: Add initramfs-config patch
>   secure-boot: select boot partition in initramfs
>   secure-boot: Add secure boot with unified kernel image
>   secure-boot: Add Debian snakeoil keys for ease-of-use
>   doc: Add README for secureboot
> 
>  classes/image_uuid.bbclass                    |  33 +++
>  conf/distro/debian-buster-backports.list      |   1 +
>  conf/distro/preferences.ovmf-snakeoil.conf    |   3 +
>  doc/README.secureboot.md                      | 229 ++++++++++++++++++
>  .../0001-u-boot-add-libubootenv.patch         | 161 ++++++------
>  ...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++
>  kas-cip.yml                                   |   3 +
>  kas/opt/ebg-secure-boot-base.yml              |  18 ++
>  kas/opt/ebg-secure-boot-snakeoil.yml          |  28 +++
>  kas/opt/ebg-swu.yml                           |   4 +-
>  recipes-core/images/cip-core-image.bb         |  12 +-
>  .../files/secure-boot/sw-description.tmpl     |  29 +++
>  recipes-core/images/files/sw-description.tmpl |  19 +-
>  recipes-core/images/secureboot.inc            |  21 ++
>  recipes-core/images/swupdate.inc              |  21 ++
>  .../ebg-secure-boot-secrets_0.1.bb            |  51 ++++
>  .../ebg-secure-boot-secrets/files/README.md   |   1 +
>  .../files/control.tmpl                        |  12 +
>  .../files/sign_secure_image.sh.tmpl           |  22 ++
>  .../ebg-secure-boot-snakeoil_0.1.bb           |  34 +++
>  .../files/control.tmpl                        |  12 +
>  .../files/sign_secure_image.sh                |  36 +++
>  .../ovmf-binaries/files/control.tmpl          |  11 +
>  .../ovmf-binaries/ovmf-binaries_0.1.bb        |  30 +++
>  recipes-kernel/linux/linux-cip-common.inc     |   2 +-
>  .../files/initramfs.image_uuid.hook           |  33 +++
>  .../files/initramfs.lsblk.hook                |  29 +++
>  .../initramfs-config/files/postinst.ext       |   3 +
>  .../files/secure-boot-debian-local-patch      |  79 ++++++
>  .../initramfs-abrootfs-secureboot_0.1.bb      |  38 +++
>  ...enerate-sb-db-from-existing-certificate.sh |  16 ++
>  scripts/generate_secure_boot_keys.sh          |  51 ++++
>  .../wic/plugins/source/efibootguard-boot.py   |  87 ++++++-
>  .../wic/plugins/source/efibootguard-efi.py    |  40 ++-
>  scripts/start-efishell.sh                     |  12 +
>  start-qemu.sh                                 |  59 +++--
>  wic/ebg-signed-bootloader.inc                 |   2 +
>  wic/qemu-amd64-efibootguard-secureboot.wks    |   9 +
>  wic/qemu-amd64-efibootguard.wks               |   1 -
>  39 files changed, 1330 insertions(+), 129 deletions(-)
>  create mode 100644 classes/image_uuid.bbclass
>  create mode 100644 conf/distro/debian-buster-backports.list
>  create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf
>  create mode 100644 doc/README.secureboot.md
>  create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
>  create mode 100644 kas/opt/ebg-secure-boot-base.yml
>  create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml
>  create mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl
>  create mode 100644 recipes-core/images/secureboot.inc
>  create mode 100644 recipes-core/images/swupdate.inc
>  create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
>  create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
>  create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
>  create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
>  create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
>  create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
>  create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
>  create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl
>  create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
>  create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
>  create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
>  create mode 100644 recipes-support/initramfs-config/files/postinst.ext
>  create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
>  create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
>  create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
>  create mode 100755 scripts/generate_secure_boot_keys.sh
>  create mode 100755 scripts/start-efishell.sh
>  create mode 100644 wic/ebg-signed-bootloader.inc
>  create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
> 

I've taken this to next, but this also needs a hook-up with the CI system.

Thanks,
Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5225): https://lists.cip-project.org/g/cip-dev/message/5225
Mute This Topic: https://lists.cip-project.org/mt/76326081/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

      parent reply	other threads:[~2020-08-21 15:18 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-21  9:55 [cip-dev][isar-cip-core][PATCH v4 0/6] secureboot with efibootguard Quirin Gylstorff
2020-08-21  9:55 ` [cip-dev][isar-cip-core][PATCH v4 1/6] linux-cip: Update revision of kernel config Quirin Gylstorff
2020-08-21  9:55 ` [cip-dev][isar-cip-core][PATCH v4 2/6] isar-patch: Add initramfs-config patch Quirin Gylstorff
2020-08-21 14:48   ` Jan Kiszka
2020-08-21  9:55 ` [cip-dev][isar-cip-core][PATCH v4 3/6] secure-boot: select boot partition in initramfs Quirin Gylstorff
2020-08-21 14:45   ` Jan Kiszka
2020-08-24  8:10     ` Quirin Gylstorff
2020-08-21  9:55 ` [cip-dev][isar-cip-core][PATCH v4 4/6] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
2020-08-21  9:55 ` [cip-dev][isar-cip-core][PATCH v4 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
2020-08-21  9:55 ` [cip-dev][isar-cip-core][PATCH v4 6/6] doc: Add README for secureboot Quirin Gylstorff
2020-08-21 15:18 ` Jan Kiszka [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5636e8fc-839d-de07-1c17-30fce9efd905@siemens.com \
    --to=jan.kiszka@siemens.com \
    --cc=Quirin.Gylstorff@siemens.com \
    --cc=cip-dev@lists.cip-project.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.