* [isar-cip-core] README.secureboot.md : Update steps for bullseye version
@ 2022-09-20 15:40 sai.sathujoda
2022-09-20 16:27 ` Jan Kiszka
0 siblings, 1 reply; 4+ messages in thread
From: sai.sathujoda @ 2022-09-20 15:40 UTC (permalink / raw)
To: cip-dev, jan.kiszka; +Cc: Sai, dinesh.kumar, kazuhiro3.hayashi
From: Sai <Sai.Sathujoda@toshiba-tsip.com>
Updated steps to enable secureboot with user-generated & snakeoil keys.
Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
---
doc/README.secureboot.md | 62 ++++++++++++++++++++++++++--------------
1 file changed, 41 insertions(+), 21 deletions(-)
diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 319b4db..977377a 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -76,7 +76,7 @@ Set up a secure boot test environment with [QEMU](https://www.qemu.org/)
### Debian Snakeoil keys
The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images/<machine>/OVMF.
-You can use them as described in section [Start Image](### Start the image).
+You can use them as described in section [Start Image](#start-the-image).
### Generate Keys
@@ -113,7 +113,7 @@ cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi secureboot-tools
to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented for secureboot.
3. Start QEMU with the script scripts/start-efishell.sh
```
-scripts/start-efishell.sh secureboot-tools
+OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.secboot.fd OVMF_VARS=./OVMF_VARS_4M.fd ./scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
```
@@ -147,16 +147,28 @@ For user-generated keys, create a new option file in the repository. This option
header:
version: 10
includes:
- - kas/opt/ebg-secure-boot-base.yml
+ - kas/opt/ebg-swu.yml
+
+local_conf_header:
+ secure-boot-image: |
+ IMAGE_CLASSES += "verity"
+ IMAGE_FSTYPES = "wic"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+ INITRAMFS_INSTALL_append = " initramfs-verity-hook"
+ # abrootfs cannot be installed together with verity
+ INITRAMFS_INSTALL_remove = " initramfs-abrootfs-hook"
local_conf_header:
secure-boot: |
- IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
- IMAGER_INSTALL += "ebg-secure-boot-secrets"
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-signer"
+ IMAGER_INSTALL += "ebg-secure-boot-signer"
+
+# Use user-generated keys
+ PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-key"
+
user-keys: |
- SB_CERTDB = "democertdb"
- SB_VERIFY_CERT = "demo.crt"
- SB_KEY_NAME = "demo"
+ SB_CERT = "demo.crt"
+ SB_KEY = "demo.key"
```
Replace `demo` with the name of the user-generated certificates. The user-generated certificates
@@ -174,7 +186,7 @@ kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:<path to the new option
Start the image with the following command:
```
-SECURE_BOOT=y \
+SECURE_BOOT=y DISTRO_RELEASE=bullseye \
./start-qemu.sh amd64
```
@@ -194,27 +206,32 @@ To change the boot behavior, enter `exit` in the shell to enter the bios and cha
#### User-generated keys
Start the image with the following command:
```
-SECURE_BOOT=y \
+SECURE_BOOT=y DISTRO_RELEASE=bullseye \
OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd \
OVMF_VARS=<path to the modified OVMF_VARS.fd> \
./start-qemu.sh amd64
```
-
+After boot check the dmesg for secure boot status like below:
+```
+root@demo:~# dmesg | grep Secure
+[ 0.008368] Secure boot enabled
+```
## Example: Update the image
For updating the image, the following steps are necessary:
-- [Build the image with snakeoil keys](### Build image)
+- [Build the image with snakeoil keys](#build-image)
- save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-bullseye-qemu-amd64.swu` to /tmp
-- modify the image for example add a new version to the image by adding `PV=2.0.0` to
- [cip-core-image.bb](recipes-core/images/cip-core-image.bb)
-- start the new target and copy the swu `cip-core-image-cip-core-bullseye-qemu-amd64.swu`
- to the running system, e.g.:
+- modify the image for example, switch to the RT kernel as modification:
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-secure-boot-snakeoil.yml:kas/opt/rt.yml
+```
+- start the new target
```
-SECURE=y ./start-qemu.sh amd64 -virtfs local,path=/tmp,mount_tag=host0,security_model=passthrough,id=host0
+SECURE_BOOT=y DISTRO_RELEASE=bullseye ./start-qemu.sh amd64
```
-- mount `host0` on target with:
+Copy the swu cip-core-image-cip-core-bullseye-qemu-amd64.swu to the running system
```
-mount -t 9p -o trans=virtio,version=9p2000.L host0 /mnt
+scp -P 22222 /tmp/cip-core-image-cip-core-bullseye-qemu-amd64.swu root@127.0.0.1:/home/
```
- check which partition is booted, e.g. with `lsblk`:
```
@@ -228,8 +245,11 @@ sda 8:0 0 2G 0 disk
└─sda5 8:5 0 1000M 0 part
```
-- install with `swupdate -i /mnt/cip-core-image-cip-core-bullseye-qemu-amd64.swu`
-- reboot
+- install the swupdate and reboot the image
+```
+root@demo:~# swupdate -i /home/cip-core-image-cip-core-bullseye-qemu-amd64.swu`
+root@demo:~# reboot
+```
- check which partition is booted, e.g. with `lsblk`. The rootfs should have changed:
```
root@demo:~# lsblk
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [isar-cip-core] README.secureboot.md : Update steps for bullseye version
2022-09-20 15:40 [isar-cip-core] README.secureboot.md : Update steps for bullseye version sai.sathujoda
@ 2022-09-20 16:27 ` Jan Kiszka
2022-09-29 10:21 ` [cip-dev] " Sai.Sathujoda
2022-09-29 15:42 ` Gylstorff Quirin
0 siblings, 2 replies; 4+ messages in thread
From: Jan Kiszka @ 2022-09-20 16:27 UTC (permalink / raw)
To: Sai.Sathujoda, cip-dev, Quirin Gylstorff; +Cc: dinesh.kumar, kazuhiro3.hayashi
On 20.09.22 17:40, Sai.Sathujoda@toshiba-tsip.com wrote:
> From: Sai <Sai.Sathujoda@toshiba-tsip.com>
>
> Updated steps to enable secureboot with user-generated & snakeoil keys.
>
> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
> ---
> doc/README.secureboot.md | 62 ++++++++++++++++++++++++++--------------
> 1 file changed, 41 insertions(+), 21 deletions(-)
>
> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
> index 319b4db..977377a 100644
> --- a/doc/README.secureboot.md
> +++ b/doc/README.secureboot.md
> @@ -76,7 +76,7 @@ Set up a secure boot test environment with [QEMU](https://www.qemu.org/)
> ### Debian Snakeoil keys
>
> The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images/<machine>/OVMF.
> -You can use them as described in section [Start Image](### Start the image).
> +You can use them as described in section [Start Image](#start-the-image).
>
> ### Generate Keys
>
> @@ -113,7 +113,7 @@ cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi secureboot-tools
> to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented for secureboot.
> 3. Start QEMU with the script scripts/start-efishell.sh
> ```
> -scripts/start-efishell.sh secureboot-tools
> +OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.secboot.fd OVMF_VARS=./OVMF_VARS_4M.fd ./scripts/start-efishell.sh secureboot-tools
> ```
> 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
> ```
> @@ -147,16 +147,28 @@ For user-generated keys, create a new option file in the repository. This option
> header:
> version: 10
> includes:
> - - kas/opt/ebg-secure-boot-base.yml
> + - kas/opt/ebg-swu.yml
> +
> +local_conf_header:
> + secure-boot-image: |
> + IMAGE_CLASSES += "verity"
> + IMAGE_FSTYPES = "wic"
> + WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
> + INITRAMFS_INSTALL_append = " initramfs-verity-hook"
> + # abrootfs cannot be installed together with verity
> + INITRAMFS_INSTALL_remove = " initramfs-abrootfs-hook"
>
> local_conf_header:
> secure-boot: |
> - IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
> - IMAGER_INSTALL += "ebg-secure-boot-secrets"
> + IMAGER_BUILD_DEPS += "ebg-secure-boot-signer"
> + IMAGER_INSTALL += "ebg-secure-boot-signer"
> +
> +# Use user-generated keys
> + PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-key"
> +
> user-keys: |
> - SB_CERTDB = "democertdb"
> - SB_VERIFY_CERT = "demo.crt"
> - SB_KEY_NAME = "demo"
> + SB_CERT = "demo.crt"
> + SB_KEY = "demo.key"
> ```
>
> Replace `demo` with the name of the user-generated certificates. The user-generated certificates
> @@ -174,7 +186,7 @@ kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:<path to the new option
>
> Start the image with the following command:
> ```
> -SECURE_BOOT=y \
> +SECURE_BOOT=y DISTRO_RELEASE=bullseye \
We should probably flip the defaults in start-qemu.sh now...
> ./start-qemu.sh amd64
> ```
>
> @@ -194,27 +206,32 @@ To change the boot behavior, enter `exit` in the shell to enter the bios and cha
> #### User-generated keys
> Start the image with the following command:
> ```
> -SECURE_BOOT=y \
> +SECURE_BOOT=y DISTRO_RELEASE=bullseye \
> OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd \
> OVMF_VARS=<path to the modified OVMF_VARS.fd> \
> ./start-qemu.sh amd64
> ```
> -
> +After boot check the dmesg for secure boot status like below:
> +```
> +root@demo:~# dmesg | grep Secure
> +[ 0.008368] Secure boot enabled
> +```
> ## Example: Update the image
>
> For updating the image, the following steps are necessary:
> -- [Build the image with snakeoil keys](### Build image)
> +- [Build the image with snakeoil keys](#build-image)
> - save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-bullseye-qemu-amd64.swu` to /tmp
> -- modify the image for example add a new version to the image by adding `PV=2.0.0` to
> - [cip-core-image.bb](recipes-core/images/cip-core-image.bb)
> -- start the new target and copy the swu `cip-core-image-cip-core-bullseye-qemu-amd64.swu`
> - to the running system, e.g.:
> +- modify the image for example, switch to the RT kernel as modification:
> +```
> +kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-secure-boot-snakeoil.yml:kas/opt/rt.yml
> +```
> +- start the new target
> ```
> -SECURE=y ./start-qemu.sh amd64 -virtfs local,path=/tmp,mount_tag=host0,security_model=passthrough,id=host0
> +SECURE_BOOT=y DISTRO_RELEASE=bullseye ./start-qemu.sh amd64
> ```
> -- mount `host0` on target with:
> +Copy the swu cip-core-image-cip-core-bullseye-qemu-amd64.swu to the running system
> ```
> -mount -t 9p -o trans=virtio,version=9p2000.L host0 /mnt
> +scp -P 22222 /tmp/cip-core-image-cip-core-bullseye-qemu-amd64.swu root@127.0.0.1:/home/
> ```
> - check which partition is booted, e.g. with `lsblk`:
> ```
> @@ -228,8 +245,11 @@ sda 8:0 0 2G 0 disk
> └─sda5 8:5 0 1000M 0 part
> ```
>
> -- install with `swupdate -i /mnt/cip-core-image-cip-core-bullseye-qemu-amd64.swu`
> -- reboot
> +- install the swupdate and reboot the image
> +```
> +root@demo:~# swupdate -i /home/cip-core-image-cip-core-bullseye-qemu-amd64.swu`
> +root@demo:~# reboot
> +```
> - check which partition is booted, e.g. with `lsblk`. The rootfs should have changed:
> ```
> root@demo:~# lsblk
Quirin, could you cross-check as well? Seems fine to me on a quick glance.
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [cip-dev] [isar-cip-core] README.secureboot.md : Update steps for bullseye version
2022-09-20 16:27 ` Jan Kiszka
@ 2022-09-29 10:21 ` Sai.Sathujoda
2022-09-29 15:42 ` Gylstorff Quirin
1 sibling, 0 replies; 4+ messages in thread
From: Sai.Sathujoda @ 2022-09-29 10:21 UTC (permalink / raw)
To: cip-dev, quirin.gylstorff; +Cc: dinesh.kumar, kazuhiro3.hayashi
Hi Jan & Quirin,
Is this patch still under review ? Please let us know.
Regards,
Sai Ashrith(T S I P)
-----Original Message-----
From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Jan Kiszka
Sent: Tuesday, September 20, 2022 9:57 PM
To: ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; cip-dev@lists.cip-project.org; Quirin Gylstorff <quirin.gylstorff@siemens.com>
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@toshiba.co.jp>
Subject: Re: [cip-dev] [isar-cip-core] README.secureboot.md : Update steps for bullseye version
On 20.09.22 17:40, Sai.Sathujoda@toshiba-tsip.com wrote:
> From: Sai <Sai.Sathujoda@toshiba-tsip.com>
>
> Updated steps to enable secureboot with user-generated & snakeoil keys.
>
> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
> ---
> doc/README.secureboot.md | 62
> ++++++++++++++++++++++++++--------------
> 1 file changed, 41 insertions(+), 21 deletions(-)
>
> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index
> 319b4db..977377a 100644
> --- a/doc/README.secureboot.md
> +++ b/doc/README.secureboot.md
> @@ -76,7 +76,7 @@ Set up a secure boot test environment with
> [QEMU](https://www.qemu.org/) ### Debian Snakeoil keys
>
> The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images/<machine>/OVMF.
> -You can use them as described in section [Start Image](### Start the image).
> +You can use them as described in section [Start Image](#start-the-image).
>
> ### Generate Keys
>
> @@ -113,7 +113,7 @@ cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi
> secureboot-tools to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented for secureboot.
> 3. Start QEMU with the script scripts/start-efishell.sh ```
> -scripts/start-efishell.sh secureboot-tools
> +OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.secboot.fd
> +OVMF_VARS=./OVMF_VARS_4M.fd ./scripts/start-efishell.sh
> +secureboot-tools
> ```
> 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
> ```
> @@ -147,16 +147,28 @@ For user-generated keys, create a new option
> file in the repository. This option
> header:
> version: 10
> includes:
> - - kas/opt/ebg-secure-boot-base.yml
> + - kas/opt/ebg-swu.yml
> +
> +local_conf_header:
> + secure-boot-image: |
> + IMAGE_CLASSES += "verity"
> + IMAGE_FSTYPES = "wic"
> + WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
> + INITRAMFS_INSTALL_append = " initramfs-verity-hook"
> + # abrootfs cannot be installed together with verity
> + INITRAMFS_INSTALL_remove = " initramfs-abrootfs-hook"
>
> local_conf_header:
> secure-boot: |
> - IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
> - IMAGER_INSTALL += "ebg-secure-boot-secrets"
> + IMAGER_BUILD_DEPS += "ebg-secure-boot-signer"
> + IMAGER_INSTALL += "ebg-secure-boot-signer"
> +
> +# Use user-generated keys
> + PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-key"
> +
> user-keys: |
> - SB_CERTDB = "democertdb"
> - SB_VERIFY_CERT = "demo.crt"
> - SB_KEY_NAME = "demo"
> + SB_CERT = "demo.crt"
> + SB_KEY = "demo.key"
> ```
>
> Replace `demo` with the name of the user-generated certificates. The
> user-generated certificates @@ -174,7 +186,7 @@ kas-container build
> kas-cip.yml:kas/board/qemu-amd64.yml:<path to the new option
>
> Start the image with the following command:
> ```
> -SECURE_BOOT=y \
> +SECURE_BOOT=y DISTRO_RELEASE=bullseye \
We should probably flip the defaults in start-qemu.sh now...
> ./start-qemu.sh amd64
> ```
>
> @@ -194,27 +206,32 @@ To change the boot behavior, enter `exit` in the
> shell to enter the bios and cha #### User-generated keys Start the
> image with the following command:
> ```
> -SECURE_BOOT=y \
> +SECURE_BOOT=y DISTRO_RELEASE=bullseye \
>
> OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secbo
> ot.fd \ OVMF_VARS=<path to the modified OVMF_VARS.fd> \
> ./start-qemu.sh amd64 ```
> -
> +After boot check the dmesg for secure boot status like below:
> +```
> +root@demo:~# dmesg | grep Secure
> +[ 0.008368] Secure boot enabled
> +```
> ## Example: Update the image
>
> For updating the image, the following steps are necessary:
> -- [Build the image with snakeoil keys](### Build image)
> +- [Build the image with snakeoil keys](#build-image)
> - save the generated swu
> `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-bullseye-q
> emu-amd64.swu` to /tmp
> -- modify the image for example add a new version to the image by
> adding `PV=2.0.0` to
> - [cip-core-image.bb](recipes-core/images/cip-core-image.bb)
> -- start the new target and copy the swu
> `cip-core-image-cip-core-bullseye-qemu-amd64.swu`
> - to the running system, e.g.:
> +- modify the image for example, switch to the RT kernel as modification:
> +```
> +kas-container build
> +kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-secure-boot-snakeoil
> +.yml:kas/opt/rt.yml
> +```
> +- start the new target
> ```
> -SECURE=y ./start-qemu.sh amd64 -virtfs
> local,path=/tmp,mount_tag=host0,security_model=passthrough,id=host0
> +SECURE_BOOT=y DISTRO_RELEASE=bullseye ./start-qemu.sh amd64
> ```
> -- mount `host0` on target with:
> +Copy the swu cip-core-image-cip-core-bullseye-qemu-amd64.swu to the
> +running system
> ```
> -mount -t 9p -o trans=virtio,version=9p2000.L host0 /mnt
> +scp -P 22222 /tmp/cip-core-image-cip-core-bullseye-qemu-amd64.swu
> +root@127.0.0.1:/home/
> ```
> - check which partition is booted, e.g. with `lsblk`:
> ```
> @@ -228,8 +245,11 @@ sda 8:0 0 2G 0 disk
> └─sda5 8:5 0 1000M 0 part
> ```
>
> -- install with `swupdate -i
> /mnt/cip-core-image-cip-core-bullseye-qemu-amd64.swu`
> -- reboot
> +- install the swupdate and reboot the image ``` root@demo:~# swupdate
> +-i /home/cip-core-image-cip-core-bullseye-qemu-amd64.swu`
> +root@demo:~# reboot
> +```
> - check which partition is booted, e.g. with `lsblk`. The rootfs should have changed:
> ```
> root@demo:~# lsblk
Quirin, could you cross-check as well? Seems fine to me on a quick glance.
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [isar-cip-core] README.secureboot.md : Update steps for bullseye version
2022-09-20 16:27 ` Jan Kiszka
2022-09-29 10:21 ` [cip-dev] " Sai.Sathujoda
@ 2022-09-29 15:42 ` Gylstorff Quirin
1 sibling, 0 replies; 4+ messages in thread
From: Gylstorff Quirin @ 2022-09-29 15:42 UTC (permalink / raw)
To: Jan Kiszka, Sai.Sathujoda, cip-dev; +Cc: dinesh.kumar, kazuhiro3.hayashi
On 9/20/22 18:27, Jan Kiszka wrote:
> On 20.09.22 17:40, Sai.Sathujoda@toshiba-tsip.com wrote:
>> From: Sai <Sai.Sathujoda@toshiba-tsip.com>
>>
>> Updated steps to enable secureboot with user-generated & snakeoil keys.
>>
>> Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com>
>> ---
>> doc/README.secureboot.md | 62 ++++++++++++++++++++++++++--------------
>> 1 file changed, 41 insertions(+), 21 deletions(-)
>>
>> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
>> index 319b4db..977377a 100644
>> --- a/doc/README.secureboot.md
>> +++ b/doc/README.secureboot.md
>> @@ -76,7 +76,7 @@ Set up a secure boot test environment with [QEMU](https://www.qemu.org/)
>> ### Debian Snakeoil keys
>>
>> The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images/<machine>/OVMF.
>> -You can use them as described in section [Start Image](### Start the image).
>> +You can use them as described in section [Start Image](#start-the-image).
>>
>> ### Generate Keys
>>
>> @@ -113,7 +113,7 @@ cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi secureboot-tools
>> to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented for secureboot.
>> 3. Start QEMU with the script scripts/start-efishell.sh
>> ```
>> -scripts/start-efishell.sh secureboot-tools
>> +OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.secboot.fd OVMF_VARS=./OVMF_VARS_4M.fd ./scripts/start-efishell.sh secureboot-tools
We should integrate the variables in ./scripts/start-efishell.sh as
OVMF_*_4M.* has the correct size. See
da0ff6630c7f6e48fc82b3766a04992bee7fcafe
>> ```
>> 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
>> ```
>> @@ -147,16 +147,28 @@ For user-generated keys, create a new option file in the repository. This option
>> header:
>> version: 10
>> includes:
>> - - kas/opt/ebg-secure-boot-base.yml
>> + - kas/opt/ebg-swu.yml
>> +
>> +local_conf_header:
>> + secure-boot-image: |
>> + IMAGE_CLASSES += "verity"
>> + IMAGE_FSTYPES = "wic"
>> + WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
>> + INITRAMFS_INSTALL_append = " initramfs-verity-hook"
>> + # abrootfs cannot be installed together with verity
>> + INITRAMFS_INSTALL_remove = " initramfs-abrootfs-hook"
>>
>> local_conf_header:
>> secure-boot: |
>> - IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
>> - IMAGER_INSTALL += "ebg-secure-boot-secrets"
>> + IMAGER_BUILD_DEPS += "ebg-secure-boot-signer"
>> + IMAGER_INSTALL += "ebg-secure-boot-signer"
>> +
>> +# Use user-generated keys
>> + PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-key"
>> +
>> user-keys: |
>> - SB_CERTDB = "democertdb"
>> - SB_VERIFY_CERT = "demo.crt"
>> - SB_KEY_NAME = "demo"
>> + SB_CERT = "demo.crt"
>> + SB_KEY = "demo.key"
>> ```
>>
>> Replace `demo` with the name of the user-generated certificates. The user-generated certificates
>> @@ -174,7 +186,7 @@ kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:<path to the new option
>>
>> Start the image with the following command:
>> ```
>> -SECURE_BOOT=y \
>> +SECURE_BOOT=y DISTRO_RELEASE=bullseye \
>
> We should probably flip the defaults in start-qemu.sh now...
>
>> ./start-qemu.sh amd64
>> ```
>>
>> @@ -194,27 +206,32 @@ To change the boot behavior, enter `exit` in the shell to enter the bios and cha
>> #### User-generated keys
>> Start the image with the following command:
>> ```
>> -SECURE_BOOT=y \
>> +SECURE_BOOT=y DISTRO_RELEASE=bullseye \
>> OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd \
>> OVMF_VARS=<path to the modified OVMF_VARS.fd> \
>> ./start-qemu.sh amd64
>> ```
>> -
>> +After boot check the dmesg for secure boot status like below:
>> +```
>> +root@demo:~# dmesg | grep Secure
>> +[ 0.008368] Secure boot enabled
>> +```
>> ## Example: Update the image
>>
>> For updating the image, the following steps are necessary:
>> -- [Build the image with snakeoil keys](### Build image)
>> +- [Build the image with snakeoil keys](#build-image)
>> - save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-bullseye-qemu-amd64.swu` to /tmp
>> -- modify the image for example add a new version to the image by adding `PV=2.0.0` to
>> - [cip-core-image.bb](recipes-core/images/cip-core-image.bb)
>> -- start the new target and copy the swu `cip-core-image-cip-core-bullseye-qemu-amd64.swu`
>> - to the running system, e.g.:
>> +- modify the image for example, switch to the RT kernel as modification:
>> +```
>> +kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-secure-boot-snakeoil.yml:kas/opt/rt.yml
>> +```
>> +- start the new target
>> ```
>> -SECURE=y ./start-qemu.sh amd64 -virtfs local,path=/tmp,mount_tag=host0,security_model=passthrough,id=host0
>> +SECURE_BOOT=y DISTRO_RELEASE=bullseye ./start-qemu.sh amd64
>> ```
>> -- mount `host0` on target with:
>> +Copy the swu cip-core-image-cip-core-bullseye-qemu-amd64.swu to the running system
>> ```
>> -mount -t 9p -o trans=virtio,version=9p2000.L host0 /mnt
>> +scp -P 22222 /tmp/cip-core-image-cip-core-bullseye-qemu-amd64.swu root@127.0.0.1:/home/
>> ```
>> - check which partition is booted, e.g. with `lsblk`:
>> ```
>> @@ -228,8 +245,11 @@ sda 8:0 0 2G 0 disk
>> └─sda5 8:5 0 1000M 0 part
>> ```
>>
>> -- install with `swupdate -i /mnt/cip-core-image-cip-core-bullseye-qemu-amd64.swu`
>> -- reboot
>> +- install the swupdate and reboot the image
>> +```
>> +root@demo:~# swupdate -i /home/cip-core-image-cip-core-bullseye-qemu-amd64.swu`
>> +root@demo:~# reboot
>> +```
>> - check which partition is booted, e.g. with `lsblk`. The rootfs should have changed:
>> ```
>> root@demo:~# lsblk
>
> Quirin, could you cross-check as well? Seems fine to me on a quick glance.
>
> Jan
>
Quirin
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-09-29 15:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-20 15:40 [isar-cip-core] README.secureboot.md : Update steps for bullseye version sai.sathujoda
2022-09-20 16:27 ` Jan Kiszka
2022-09-29 10:21 ` [cip-dev] " Sai.Sathujoda
2022-09-29 15:42 ` Gylstorff Quirin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.