All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
	Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH 11/12] Enable SWUpdate with and w/o secure boot for QEMU arm64
Date: Wed,  4 May 2022 21:45:59 +0200	[thread overview]
Message-ID: <57b7b395a3ed44e4466fd3fa4ef4602430591d12.1651693560.git.jan.kiszka@siemens.com> (raw)
In-Reply-To: <cover.1651693560.git.jan.kiszka@siemens.com>

From: Jan Kiszka <jan.kiszka@siemens.com>

Hook up the new U-Boot recipe, provide new wks files and disable the
watchdog for EFI Boot Guard - that's all what's need to allow offering
SWUpdate and secure boot for the QEMU arm64 target.

QEMU currently does not provide a watchdog for the virt machine which we
plan to use. A patch to change this has been sent, but for now we will
have to live without one.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 Kconfig                                       |  4 ++--
 conf/machine/qemu-arm64.conf                  |  3 +++
 kas/opt/ebg-secure-boot-snakeoil.yml          |  3 +++
 kas/opt/efibootguard.yml                      |  4 +++-
 wic/qemu-arm64-efibootguard-secureboot.wks.in | 15 +++++++++++++++
 wic/qemu-arm64-efibootguard.wks.in            | 13 +++++++++++++
 6 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 wic/qemu-arm64-efibootguard-secureboot.wks.in
 create mode 100644 wic/qemu-arm64-efibootguard.wks.in

diff --git a/Kconfig b/Kconfig
index 135794d..651a726 100644
--- a/Kconfig
+++ b/Kconfig
@@ -131,11 +131,11 @@ if IMAGE_FLASH && !KERNEL_4_4 && !KERNEL_4_19
 
 config IMAGE_SWUPDATE
 	bool "SWUpdate support for root partition"
-	depends on TARGET_QEMU_AMD64 || TARGET_SIMATIC_IPC227E
+	depends on TARGET_QEMU_AMD64 || TARGET_SIMATIC_IPC227E || TARGET_QEMU_ARM64
 
 config IMAGE_SECURE_BOOT
 	bool "Secure boot support"
-	depends on TARGET_QEMU_AMD64
+	depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64
 	select IMAGE_SWUPDATE
 
 config KAS_INCLUDE_SWUPDATE_SECBOOT
diff --git a/conf/machine/qemu-arm64.conf b/conf/machine/qemu-arm64.conf
index 0d21262..4e12cdb 100644
--- a/conf/machine/qemu-arm64.conf
+++ b/conf/machine/qemu-arm64.conf
@@ -11,3 +11,6 @@ DISTRO_ARCH = "arm64"
 IMAGE_FSTYPES ?= "ext4-img"
 USE_CIP_KERNEL_CONFIG = "1"
 KERNEL_DEFCONFIG ?= "cip-kernel-config/${KERNEL_DEFCONFIG_VERSION}/arm64/qemu_arm64_defconfig"
+
+# for SWUpdate setups: watchdog is configured in U-Boot
+WDOG_TIMEOUT = "0"
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 7442eb7..3f2a794 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -32,3 +32,6 @@ local_conf_header:
     IMAGER_INSTALL += "ebg-secure-boot-signer"
     # Use snakeoil keys
     PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-snakeoil"
+
+  secureboot_override: |
+    OVERRIDES .= ":secureboot"
diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml
index c71cdb3..d85aed7 100644
--- a/kas/opt/efibootguard.yml
+++ b/kas/opt/efibootguard.yml
@@ -27,10 +27,12 @@ local_conf_header:
     IMAGE_FSTYPES ?= "wic-img"
     WKS_FILE ?= "${MACHINE}-efibootguard.wks.in"
 
-  ovmf-binaries: |
+  firmware-binaries: |
     # Add ovmf binaries for qemu
     IMAGER_BUILD_DEPS_append_qemu-amd64 += "ovmf-binaries"
     # not needed for Debian 11 and later
     OVERRIDES_append_qemu-amd64 = ":${BASE_DISTRO_CODENAME}"
     DISTRO_APT_SOURCES_append_qemu-amd64_buster = " conf/distro/debian-buster-backports.list"
     DISTRO_APT_PREFERENCES_append_qemu-amd64_buster = " conf/distro/preferences.ovmf-snakeoil.conf"
+    # Add U-Boot for qemu
+    IMAGER_BUILD_DEPS_append_qemu-arm64 += "u-boot-qemu-arm64"
diff --git a/wic/qemu-arm64-efibootguard-secureboot.wks.in b/wic/qemu-arm64-efibootguard-secureboot.wks.in
new file mode 100644
index 0000000..df6a9a1
--- /dev/null
+++ b/wic/qemu-arm64-efibootguard-secureboot.wks.in
@@ -0,0 +1,15 @@
+# EFI partition containing efibootguard bootloader binary
+include ebg-signed-bootloader.inc
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,signwith=/usr/bin/sign_secure_image.sh"
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.${VERITY_IMAGE_TYPE}.verity.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+# home and var are extra partitions
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024 --size 1G
+part /var  --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var  --fstype=ext4 --label var  --align 1024 --size 2G
+
+bootloader --ptable gpt --append="panic=5"
diff --git a/wic/qemu-arm64-efibootguard.wks.in b/wic/qemu-arm64-efibootguard.wks.in
new file mode 100644
index 0000000..a153205
--- /dev/null
+++ b/wic/qemu-arm64-efibootguard.wks.in
@@ -0,0 +1,13 @@
+# short-description: arm64 with EFI Boot Guard and SWUpdate
+# long-description: Disk image for arm64 machines with EFI Boot Guard and SWUpdate
+
+include ebg-sysparts.inc
+
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000001"
+part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.squashfs.img" --align 1024 --fixed-size 1G --uuid "fedcba98-7654-3210-cafe-5e0710000002"
+
+# home and var are extra partitions
+part /home --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/home --fstype=ext4 --label home --align 1024  --size 1G
+part /var --source rootfs --rootfs-dir=${IMAGE_ROOTFS}/var --fstype=ext4 --label var --align 1024  --size 2G
+
+bootloader --ptable gpt
-- 
2.34.1

next prev parent reply	other threads:[~2022-05-04 19:46 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-04 19:45 [isar-cip-core][PATCH 00/12] Fixes and improvements for SWUpdate images, kernel/config update Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 01/12] initramfs-etc-overlay-hook: Improve error reporting of script Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 02/12] initramfs-etc-overlay-hook: Install overlay module Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 03/12] initramfs-abrootfs-hook: Remove obsolete patch Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 04/12] Rework secure boot key handling and signing recipes Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 05/12] linux-cip: Update cip-kernel-config for QEMU and ipc227e Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 06/12] linux-cip: Update to 4.19.239-cip72 and 5.10.112-cip6 Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 07/12] efibootguard: Update to 0.11 release Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 08/12] efibootguard: Use new unified kernel image generation Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 09/12] efibootguard: Add support for embedding DTBs into unified kernel images Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 10/12] u-boot-qemu-arm64: Add recipe for customized version based on 2022.04 Jan Kiszka
2022-05-04 19:45 ` Jan Kiszka [this message]
2022-05-04 19:46 ` [isar-cip-core][PATCH 12/12] start-qemu.sh: Add support for SWUpdate and secure boot mode to arm64 Jan Kiszka

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:135794d dfblob:0d21262 dfblob:7442eb7 dfblob:c71cdb3
dfblob:651a726 dfblob:4e12cdb dfblob:3f2a794 dfblob:d85aed7
dfblob:df6a9a1 dfblob:a153205
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=57b7b395a3ed44e4466fd3fa4ef4602430591d12.1651693560.git.jan.kiszka@siemens.com \
    --to=jan.kiszka@siemens.com \
    --cc=christian.storm@siemens.com \
    --cc=cip-dev@lists.cip-project.org \
    --cc=quirin.gylstorff@siemens.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.