Re: [cip-dev] [isar-cip-core][PATCH v2] README.secureboot: Corrections

From: "Quirin Gylstorff" <quirin.gylstorff@siemens.com>
To: Jan Kiszka <jan.kiszka@siemens.com>,
	cip-dev@lists.cip-project.org,
	Dinesh Kumar <dinesh.kumar@toshiba-tsip.com>
Subject: Re: [cip-dev] [isar-cip-core][PATCH v2] README.secureboot: Corrections
Date: Wed, 5 May 2021 20:47:33 +0200	[thread overview]
Message-ID: <77651949-83ac-5a97-4ccb-b047d9f21867@siemens.com> (raw)
In-Reply-To: <9c3ef309-f2e8-0624-a118-d3e375d40559@siemens.com>

[-- Attachment #1: Type: text/plain, Size: 4276 bytes --]

On 5/5/21 6:47 PM, Jan Kiszka wrote:
> Dinesh, your citation settings are broken. When sending plaintext, as it
> is common on public lists, you need to set the mark "> " at the
> beginning of all cited line.
> 
> On 30.04.21 16:06, Dinesh Kumar wrote:
>> On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:
>>
>>      From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>>      - Add code block for key insertion for better visibility
>>      - Correct the template for user-generated keys
>>      - Add information where to store the keys
>>
>>      Add build command for user generated keys
>>
>>      Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>      ---
>>
>>      Changes in V2:
>>      - remove unnecessary new-lines
>>
>>      doc/README.secureboot.md | 20 +++++++++++++++-----
>>      1 file changed, 15 insertions(+), 5 deletions(-)
>>
>>      diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
>>      index 84131bb..0996edc 100644
>>      --- a/doc/README.secureboot.md
>>      +++ b/doc/README.secureboot.md
>>      @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd
>>      contains no keys can be instrumented f
>>      scripts/start-efishell.sh secureboot-tools
>>      ```
>>      4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the
>>      following steps:
>>
>>      +```
>>
>> Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or
>> higher as default Debian buster has older version of qemu and this step
>> fails with older version.
>> Also these steps can't be executed remotely as it launches UI window for
>> QEMU, so it should be done locally.
> 
> Feel free to send a patch (or MR if that is easier) that adjust things,
> Dinesh.
> 
>>
>>      -> "Edit Keys"
>>      -> "The Allowed Signatures Database (db)"
>>      -> "Add New Key"
>>      @@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
>>      -> "Replace Key(s)"
>>      -> Change/Confirm device
>>      -> Select "PK.auth" file
>>      +```
>>      5. quit QEMU
>>
>>      ### Build image
>>
>>      Build the image with a signed efibootguard and unified kernel image
>>      with the snakeoil keys by executing:
>>      +
>>      ```
>>      kas-container build
>>      kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
>>      ```
>>
>>      -For user-generated keys, create a new option file. This option file
>>      could look like this:
>>      +For user-generated keys, create a new option file in the
>>      repository. This option file could look like this:
>>      ```
>>      header:
>>      version: 10
>>      includes:
>>      - - opt/ebg-swu.yml
>>      - - opt/ebg-secure-boot-initramfs.yml
>>      + - kas/opt/ebg-swu.yml
>>      + - kas/opt/ebg-secure-boot-base.yml
>>
>>      local_conf_header:
>>      secure-boot: |
>>      IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
>>      IMAGER_INSTALL += "ebg-secure-boot-secrets"
>>      - user-keys:
>>      + user-keys: |
>>      SB_CERTDB = "democertdb"
>>      SB_VERIFY_CERT = "demo.crt"
>>      SB_KEY_NAME = "demo"
>>      ```
>>
>>      -Replace `demo` with the name of the user-generated certificates.
>>      +Replace `demo` with the name of the user-generated certificates.

I added the following sentence to the README for the keys:

The formating is off:
>>      The user-generated certificates
>>      +need to stored in the folder
>>      `recipes-devtools/ebg-secure-boot-secrets/files`.

Dinesh is that sufficient?

Quirin
>>      +
>>      +Build the image with user-generated keys by executing the command:
>>      +
>>      +```
>>      +kas-container build
>>      kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to
>>      the new option>.yml
>>      +```
>>
>>      ### Start the image
>>
>> Where are you taking care of my below point? I don't see it yet
>>
>>      Keys and certs generated by scripts/generate_secure_boot_keys.sh are
>>      not available to build command, so I have to move them in
>>      recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work
>>
> 
> Quirin?
> 
> Jan
> 

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6431): https://lists.cip-project.org/g/cip-dev/message/6431
Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-