* [cip-dev] [isar-cip-core RFC 0/7] secureboot with efibootguard
@ 2020-06-25 14:10 Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 1/7] kernel: add fat for qemu-amd64 Quirin Gylstorff
` (7 more replies)
0 siblings, 8 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-25 14:10 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 5176 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This patchset adds secureboot with efibootguard to cip-core.
The image build signs the efibootguard bootloader (bootx64.efi) and generates
a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
A unified kernel image packs the kernel, initramfs and the kernel command-line
in one binary object. As the kernel command-line is immutable after the build
process, the previous selection of the root file system with a command-line parameter is no longer
possible. Therefore the selection of the root file-system occurs now in the initramfs.
The image uses an A/B partition layout to update the root file system. The sample implementation to
select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs.
During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs.
If a match is found the rootfs is used for the boot.
Quirin Gylstorff (7):
kernel: add fat for qemu-amd64
isar-patch: Add initramfs-config patch
secure-boot: select boot partition in initramfs
secure-boot: Add secure boot with unified kernel image
secure-boot: Add Debian snakeoil keys for ease-of-use
swupdate: Add luahandler for secureboot
doc: Add README for secureboot
classes/image_uuid.bbclass | 29 +++
conf/distro/debian-buster-backports.list | 1 +
conf/distro/preferences.ovmf-snakeoil.conf | 3 +
doc/README.secureboot.md | 188 ++++++++++++++++
...-support-Generate-a-custom-initramfs.patch | 208 ++++++++++++++++++
kas/cip.yml | 3 +
kas/opt/ebg-secure-boot-base.yml | 30 +++
kas/opt/ebg-secure-boot-snakeoil.yml | 31 +++
kas/opt/qemu-wic.yml | 14 ++
recipes-core/images/cip-core-image.bb | 2 +-
.../swupdate/files/swupdate_handlers.lua | 8 +-
.../ebg-secure-boot-secrets_0.1.bb | 52 +++++
.../ebg-secure-boot-secrets/files/README.md | 1 +
.../files/control.tmpl | 12 +
.../files/sign_secure_image.sh.tmpl | 22 ++
.../ebg-secure-boot-snakeoil_0.1.bb | 35 +++
.../files/control.tmpl | 12 +
.../files/sign_secure_image.sh | 36 +++
.../ovmf-binaries/files/control.tmpl | 11 +
.../ovmf-binaries/ovmf-binaries_0.1.bb | 30 +++
.../linux/files/qemu-amd64_defconfig | 6 +
.../files/initramfs.image_uuid.hook | 33 +++
.../files/initramfs.lsblk.hook | 29 +++
.../initramfs-config/files/postinst.ext | 3 +
.../files/secure-boot-debian-local-patch | 77 +++++++
.../initramfs-config_0.1-cip.bb | 38 ++++
...enerate-sb-db-from-existing-certificate.sh | 16 ++
scripts/generate_secure_boot_keys.sh | 51 +++++
.../wic/plugins/source/efibootguard-boot.py | 87 +++++++-
.../wic/plugins/source/efibootguard-efi.py | 40 +++-
scripts/start-efishell.sh | 12 +
start-qemu.sh | 54 ++++-
wic/ebg-signed-bootloader.inc | 2 +
wic/qemu-amd64-efibootguard.wks | 11 +-
34 files changed, 1157 insertions(+), 30 deletions(-)
create mode 100644 classes/image_uuid.bbclass
create mode 100644 conf/distro/debian-buster-backports.list
create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf
create mode 100644 doc/README.secureboot.md
create mode 100644 isar-patches/v6-0001-meta-support-Generate-a-custom-initramfs.patch
create mode 100644 kas/opt/ebg-secure-boot-base.yml
create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml
create mode 100644 kas/opt/qemu-wic.yml
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl
create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
create mode 100644 recipes-support/initramfs-config/files/postinst.ext
create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
create mode 100644 recipes-support/initramfs-config/initramfs-config_0.1-cip.bb
create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
create mode 100755 scripts/generate_secure_boot_keys.sh
create mode 100755 scripts/start-efishell.sh
create mode 100644 wic/ebg-signed-bootloader.inc
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4824): https://lists.cip-project.org/g/cip-dev/message/4824
Mute This Topic: https://lists.cip-project.org/mt/75103450/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core RFC 1/7] kernel: add fat for qemu-amd64
2020-06-25 14:10 [cip-dev] [isar-cip-core RFC 0/7] secureboot with efibootguard Quirin Gylstorff
@ 2020-06-25 14:10 ` Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 2/7] isar-patch: Add initramfs-config patch Quirin Gylstorff
` (6 subsequent siblings)
7 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-25 14:10 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 827 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add a fat configuration to access FAT Partitions on the qemu-amd64
target.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-kernel/linux/files/qemu-amd64_defconfig | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/recipes-kernel/linux/files/qemu-amd64_defconfig b/recipes-kernel/linux/files/qemu-amd64_defconfig
index 7487152..5449317 100644
--- a/recipes-kernel/linux/files/qemu-amd64_defconfig
+++ b/recipes-kernel/linux/files/qemu-amd64_defconfig
@@ -351,3 +351,9 @@ CONFIG_CRYPTO_DEV_CCP=y
# CONFIG_XZ_DEC_ARM is not set
# CONFIG_XZ_DEC_ARMTHUMB is not set
# CONFIG_XZ_DEC_SPARC is not set
+CONFIG_MSDOS_FS=y
+CONFIG_VFAT_FS=y
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4823): https://lists.cip-project.org/g/cip-dev/message/4823
Mute This Topic: https://lists.cip-project.org/mt/75103449/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core RFC 2/7] isar-patch: Add initramfs-config patch
2020-06-25 14:10 [cip-dev] [isar-cip-core RFC 0/7] secureboot with efibootguard Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 1/7] kernel: add fat for qemu-amd64 Quirin Gylstorff
@ 2020-06-25 14:10 ` Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 3/7] secure-boot: select boot partition in initramfs Quirin Gylstorff
` (5 subsequent siblings)
7 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-25 14:10 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 8929 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Adapt the initramfs generation to set for example the root device
in the initramfs
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
...-support-Generate-a-custom-initramfs.patch | 208 ++++++++++++++++++
kas/cip.yml | 3 +
2 files changed, 211 insertions(+)
create mode 100644 isar-patches/v6-0001-meta-support-Generate-a-custom-initramfs.patch
diff --git a/isar-patches/v6-0001-meta-support-Generate-a-custom-initramfs.patch b/isar-patches/v6-0001-meta-support-Generate-a-custom-initramfs.patch
new file mode 100644
index 0000000..fba2c75
--- /dev/null
+++ b/isar-patches/v6-0001-meta-support-Generate-a-custom-initramfs.patch
@@ -0,0 +1,208 @@
+From a03831a79adc936567e16ab07c59a5704a619668 Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Tue, 24 Mar 2020 17:58:08 +0100
+Subject: [PATCH v6 1/3] meta/support: Generate a custom initramfs
+
+This package sets the Parameters for mkinitramfs/update-intramfs
+before it regenerates the initrd.img of debian with a modified version.
+
+Use cases are the remove unnecessary kernel modules to reduce the
+size of the initrd by using the parameters:
+```
+INITRAMFS_MODULES = "list"
+INITRAMFS_MODULE_LIST += "ext4"
+```
+
+Set the boot root during the initrd generation by setting `INITRAMFS_ROOT`.
+
+see also man pages of mkinitramfs and initramfs.conf.
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ .../initramfs-config/initramfs-config_0.1.bb | 7 +++
+ .../initramfs-config/files/control.tmpl | 12 +++++
+ .../initramfs-config/files/postinst.tmpl | 50 +++++++++++++++++++
+ .../initramfs-config/files/postrm.tmpl | 41 +++++++++++++++
+ .../initramfs-config/initramfs-config.inc | 32 ++++++++++++
+ 5 files changed, 142 insertions(+)
+ create mode 100644 meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb
+ create mode 100644 meta/recipes-support/initramfs-config/files/control.tmpl
+ create mode 100644 meta/recipes-support/initramfs-config/files/postinst.tmpl
+ create mode 100644 meta/recipes-support/initramfs-config/files/postrm.tmpl
+ create mode 100644 meta/recipes-support/initramfs-config/initramfs-config.inc
+
+diff --git a/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb
+new file mode 100644
+index 0000000..0eb70d7
+--- /dev/null
++++ b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb
+@@ -0,0 +1,7 @@
++#
++# Copyright (C) Siemens ag, 2020
++#
++# SPDX-License-Identifier: MIT
++
++require recipes-support/initramfs-config/initramfs-config.inc
++
+diff --git a/meta/recipes-support/initramfs-config/files/control.tmpl b/meta/recipes-support/initramfs-config/files/control.tmpl
+new file mode 100644
+index 0000000..66984eb
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/files/control.tmpl
+@@ -0,0 +1,12 @@
++Source: ${PN}
++Section: misc
++Priority: optional
++Standards-Version: 3.9.6
++Maintainer: isar-users <isar-users@googlegroups.com>
++Build-Depends: debhelper (>= 9)
++
++
++Package: ${PN}
++Architecture: any
++Depends: ${shlibs:Depends}, ${misc:Depends}, initramfs-tools-core, ${DEBIAN_DEPENDS}
++Description: Configuration files for a custom initramfs
+diff --git a/meta/recipes-support/initramfs-config/files/postinst.tmpl b/meta/recipes-support/initramfs-config/files/postinst.tmpl
+new file mode 100644
+index 0000000..e523906
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/files/postinst.tmpl
+@@ -0,0 +1,50 @@
++#!/bin/sh
++# postinst script for initramfs-config
++#
++# see: dh_installdeb(1)
++
++set -e
++
++case "$1" in
++ configure)
++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
++ if [ -f ${INITRAMFS_CONF} ]; then
++ sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF}
++ if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then
++ sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF}
++ else
++ sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF}
++ fi
++ fi
++
++ MODULES_LIST_FILE=/etc/initramfs-tools/modules
++ if [ -f ${MODULES_LIST_FILE} ]; then
++ for modname in ${INITRAMFS_MODULE_LIST}; do
++ if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then
++ echo "$modname" >> "${MODULES_LIST_FILE}"
++ fi
++ done
++ fi
++
++ update-initramfs -v -u
++
++ ;;
++ abort-upgrade|abort-remove|abort-deconfigure)
++ ;;
++
++ *)
++ echo "postinst called with unknown argument \`$1'" >&2
++ exit 1
++ ;;
++esac
++# dh_installdeb will replace this with shell code automatically
++# generated by other debhelper scripts.
++#DEBHELPER#
++
++exit 0
+diff --git a/meta/recipes-support/initramfs-config/files/postrm.tmpl b/meta/recipes-support/initramfs-config/files/postrm.tmpl
+new file mode 100644
+index 0000000..115d9b6
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/files/postrm.tmpl
+@@ -0,0 +1,41 @@
++#!/bin/sh
++# postrm script for initramfs-config
++#
++# see: dh_installdeb(1)
++
++set -e
++
++case "$1" in
++ purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
++ # back to the debian defaults
++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
++ sed -i -E 's/(^MODULES=).*/\1most/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^BUSYBOX=).*/\1auto/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^COMPRESS=).*/\1gzip/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^KEYMAP=).*/\1n/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^DEVICE=).*/\1/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^NFSROOT=).*/\1auto/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^RUNSIZE=).*/\110%/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^ROOT=).*//' ${INITRAMFS_CONF}
++
++ # remove the added modules
++ MODULES_LIST_FILE=/etc/initramfs-tools/modules
++ for modname in ${INITRAMFS_MODULE_LIST}; do
++ sed -i -E 's/$modname//'
++ done
++
++ update-initramfs -v -u
++ ;;
++
++ *)
++ echo "postrm called with unknown argument \`$1'" >&2
++ exit 1
++ ;;
++esac
++
++# dh_installdeb will replace this with shell code automatically
++# generated by other debhelper scripts.
++
++#DEBHELPER#
++
++exit 0
+diff --git a/meta/recipes-support/initramfs-config/initramfs-config.inc b/meta/recipes-support/initramfs-config/initramfs-config.inc
+new file mode 100644
+index 0000000..16049a9
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/initramfs-config.inc
+@@ -0,0 +1,32 @@
++# This software is a part of ISAR.
++# Copyright (C) 2020 Siemens AG
++#
++# SPDX-License-Identifier: MIT
++inherit dpkg-raw
++inherit template
++DESCRIPTION = "Recipe to set the initramfs configuration and generate a new ramfs"
++
++FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:"
++
++SRC_URI = "file://postinst.tmpl \
++ file://postrm.tmpl \
++ file://control.tmpl \
++ "
++
++INITRAMFS_MODULES ?= "most"
++INITRAMFS_BUSYBOX ?= "auto"
++INITRAMFS_COMPRESS ?= "gzip"
++INITRAMFS_KEYMAP ?= "n"
++INITRAMFS_NET_DEVICE ?= ""
++INITRAMFS_NFSROOT ?= "auto"
++INITRAMFS_RUNSIZE ?= "10%"
++INITRAMFS_ROOT ?= ""
++INITRAMFS_MODULE_LIST ?= ""
++CREATE_NEW_INITRAMFS ?= "n"
++KERNEL_PACKAGE = "${@ ("linux-image-" + d.getVar("KERNEL_NAME", True)) if d.getVar("KERNEL_NAME", True) else ""}"
++DEBIAN_DEPENDS += ", ${KERNEL_PACKAGE}"
++TEMPLATE_FILES = "postinst.tmpl control.tmpl postrm.tmpl"
++TEMPLATE_VARS += "INITRAMFS_MODULES INITRAMFS_BUSYBOX INITRAMFS_COMPRESS \
++ INITRAMFS_KEYMAP INITRAMFS_NET_DEVICE INITRAMFS_NFSROOT \
++ INITRAMFS_RUNSIZE INITRAMFS_ROOT INITRAMFS_MODULE_LIST \
++ CREATE_NEW_INITRAMFS DEBIAN_DEPENDS PN"
+--
+2.20.1
+
diff --git a/kas/cip.yml b/kas/cip.yml
index 0da07db..e471aa2 100644
--- a/kas/cip.yml
+++ b/kas/cip.yml
@@ -26,6 +26,9 @@ repos:
01-libubootenv:
path: isar-patches/0001-u-boot-add-libubootenv.patch
repo: cip-core
+ secure-boot:
+ path: isar-patches/v6-0001-meta-support-Generate-a-custom-initramfs.patch
+ repo: cip-core
bblayers_conf_header:
standard: |
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4825): https://lists.cip-project.org/g/cip-dev/message/4825
Mute This Topic: https://lists.cip-project.org/mt/75103451/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core RFC 3/7] secure-boot: select boot partition in initramfs
2020-06-25 14:10 [cip-dev] [isar-cip-core RFC 0/7] secureboot with efibootguard Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 1/7] kernel: add fat for qemu-amd64 Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 2/7] isar-patch: Add initramfs-config patch Quirin Gylstorff
@ 2020-06-25 14:10 ` Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 4/7] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
` (4 subsequent siblings)
7 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-25 14:10 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 9398 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
As the usage of a unified kernel image freeze the kernel commmandline
during build time the rootfs selection for swupdate can no longer be
done with the kernel commandline and must be done later in the boot
process. Read the root filesystem /etc/os-release and check if it contains
the same uuid as stored in the initramfs . If the uuids are the same
boot the root file system.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/image_uuid.bbclass | 29 +++++++
.../files/initramfs.image_uuid.hook | 33 ++++++++
.../files/initramfs.lsblk.hook | 29 +++++++
.../initramfs-config/files/postinst.tmpl | 31 ++++++++
.../files/secure-boot-debian-local-patch | 77 +++++++++++++++++++
.../initramfs-config_0.1-cip.bb | 35 +++++++++
6 files changed, 234 insertions(+)
create mode 100644 classes/image_uuid.bbclass
create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
create mode 100644 recipes-support/initramfs-config/files/postinst.tmpl
create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
create mode 100644 recipes-support/initramfs-config/initramfs-config_0.1-cip.bb
diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass
new file mode 100644
index 0000000..3bd03d5
--- /dev/null
+++ b/classes/image_uuid.bbclass
@@ -0,0 +1,29 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+def generate_image_uuid():
+ import uuid
+ return str(uuid.uuid4())
+
+
+IMAGE_UUID ?= "${@generate_image_uuid()}"
+
+
+do_generate_image_uuid() {
+ sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release'
+ echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \
+ sudo tee -a '${IMAGE_ROOTFS}/etc/os-release'
+ image_do_mounts
+
+ # update initramfs to add uuid
+ sudo chroot '${IMAGE_ROOTFS}' update-initramfs -u
+}
+addtask generate_image_uuid before do_copy_boot_files after do_rootfs_install
diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook
new file mode 100644
index 0000000..910ce84
--- /dev/null
+++ b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook
@@ -0,0 +1,33 @@
+# This software is a part of ISAR.
+# Copyright (C) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+#!/bin/sh
+set -x
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/scripts/functions
+. /usr/share/initramfs-tools/hook-functions
+
+if [ ! -e /etc/os-release ]; then
+ echo "Warning: couldn't find /etc/os-release!"
+ exit 0
+fi
+
+IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/os-release)
+echo "${IMAGE_UUID}" > "${DESTDIR}/conf/image_uuid"
+
+exit 0
\ No newline at end of file
diff --git a/recipes-support/initramfs-config/files/initramfs.lsblk.hook b/recipes-support/initramfs-config/files/initramfs.lsblk.hook
new file mode 100644
index 0000000..cf32404
--- /dev/null
+++ b/recipes-support/initramfs-config/files/initramfs.lsblk.hook
@@ -0,0 +1,29 @@
+# This software is a part of ISAR.
+# Copyright (C) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+#!/bin/sh
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/scripts/functions
+. /usr/share/initramfs-tools/hook-functions
+
+if [ ! -x /usr/bin/lsblk ]; then
+ echo "Warning: couldn't find /usr/bin/lsblk!"
+ exit 0
+fi
+
+copy_exec /usr/bin/lsblk
diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl
new file mode 100644
index 0000000..008f68d
--- /dev/null
+++ b/recipes-support/initramfs-config/files/postinst.tmpl
@@ -0,0 +1,31 @@
+#!/bin/sh
+if [ -d /usr/share/secureboot ]; then
+ patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
+fi
+
+INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
+if [ -f ${INITRAMFS_CONF} ]; then
+ sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF}
+ if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then
+ sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF}
+ else
+ sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF}
+ fi
+fi
+
+MODULES_LIST_FILE=/etc/initramfs-tools/modules
+if [ -f ${MODULES_LIST_FILE} ]; then
+ for modname in ${INITRAMFS_MODULE_LIST}; do
+ if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then
+ echo "$modname" >> "${MODULES_LIST_FILE}"
+ fi
+ done
+fi
+
+update-initramfs -v -u
diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch
new file mode 100644
index 0000000..31d4c40
--- /dev/null
+++ b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch
@@ -0,0 +1,77 @@
+--- local 2020-06-10 14:54:42.148263121 +0200
++++ ../../../../../../../../../../../recipes-support/initramfs-config/files/local 2020-06-10 14:53:03.723314458 +0200
+@@ -1,5 +1,4 @@
+ # Local filesystem mounting -*- shell-script -*-
+-
+ local_top()
+ {
+ if [ "${local_top_used}" != "yes" ]; then
+@@ -155,34 +154,46 @@
+ local_mount_root()
+ {
+ local_top
+- if [ -z "${ROOT}" ]; then
+- panic "No root device specified. Boot arguments must include a root= parameter."
++ if [ ! -e /conf/image_uuid ]; then
++ panic "could not find image_uuid to select correct root file system"
+ fi
+- local_device_setup "${ROOT}" "root file system"
+- ROOT="${DEV}"
++ local INITRAMFS_IMAGE_UUID=$(cat /conf/image_uuid)
++ local partitions=$(lsblk -nlp -o name)
++ for part in $partitions; do
++ local_device_setup "${part}" "root file system"
++ ROOT="${DEV}"
++
++ # Get the root filesystem type if not set
++ if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
++ FSTYPE=$(get_fstype "${ROOT}")
++ else
++ FSTYPE=${ROOTFSTYPE}
++ fi
+
+- # Get the root filesystem type if not set
+- if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
+- FSTYPE=$(get_fstype "${ROOT}")
+- else
+- FSTYPE=${ROOTFSTYPE}
+- fi
++ local_premount
+
+- local_premount
++ if [ "${readonly?}" = "y" ]; then
++ roflag=-r
++ else
++ roflag=-w
++ fi
+
+- if [ "${readonly?}" = "y" ]; then
+- roflag=-r
+- else
+- roflag=-w
+- fi
++ checkfs "${ROOT}" root "${FSTYPE}"
+
+- checkfs "${ROOT}" root "${FSTYPE}"
++ # Mount root
++ # shellcheck disable=SC2086
++ if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
++ if [ -e "${rootmnt?}"/etc/os-release ]; then
++ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' )
++ if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then
++ return
++ fi
++ fi
++ umount "${rootmnt?}"
++ fi
++ done
++ panic "Could not find ROOTFS with matching UUID $INITRAMFS_IMAGE_UUID"
+
+- # Mount root
+- # shellcheck disable=SC2086
+- if ! mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
+- panic "Failed to mount ${ROOT} as root file system."
+- fi
+ }
+
+ local_mount_fs()
diff --git a/recipes-support/initramfs-config/initramfs-config_0.1-cip.bb b/recipes-support/initramfs-config/initramfs-config_0.1-cip.bb
new file mode 100644
index 0000000..ba1c898
--- /dev/null
+++ b/recipes-support/initramfs-config/initramfs-config_0.1-cip.bb
@@ -0,0 +1,35 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-support/initramfs-config/initramfs-config.inc
+
+FILESPATH =. "${LAYERDIR_isar-siemens}/recipes-support/initramfs-config/files:"
+
+DEBIAN_DEPENDS += ", busybox, patch"
+
+SRC_URI += "file://initramfs.lsblk.hook \
+ file://initramfs.image_uuid.hook \
+ file://secure-boot-debian-local-patch"
+
+INITRAMFS_BUSYBOX = "y"
+
+do_install() {
+ # add patch for local to /usr/share/secure boot
+ TARGET=${D}/usr/share/secureboot
+ install -m 0755 -d ${TARGET}
+ install -m 0644 ${WORKDIR}/secure-boot-debian-local-patch ${TARGET}/secure-boot-debian-local.patch
+
+ # add hooks for secure boot
+ HOOKS=${D}/etc/initramfs-tools/hooks
+install -m 0755 -d ${HOOKS}
+ install -m 0740 ${WORKDIR}/initramfs.lsblk.hook ${HOOKS}/lsblk.hook
+ install -m 0740 ${WORKDIR}/initramfs.image_uuid.hook ${HOOKS}/image_uuid.hook
+}
+addtask do_install after do_transform_template
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4822): https://lists.cip-project.org/g/cip-dev/message/4822
Mute This Topic: https://lists.cip-project.org/mt/75103448/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core RFC 4/7] secure-boot: Add secure boot with unified kernel image
2020-06-25 14:10 [cip-dev] [isar-cip-core RFC 0/7] secureboot with efibootguard Quirin Gylstorff
` (2 preceding siblings ...)
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 3/7] secure-boot: select boot partition in initramfs Quirin Gylstorff
@ 2020-06-25 14:10 ` Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 5/7] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
` (3 subsequent siblings)
7 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-25 14:10 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 26844 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
A unified kernel image contains the os-release, kernel,
kernel commandline, initramfs and efi-stub in one binary.
This binary can be boot by systemd-boot and efibootguard.
It also allows to sign kernel and initramfs as one packages.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas/opt/ebg-secure-boot-base.yml | 30 +++++++
recipes-core/images/cip-core-image.bb | 2 +-
.../ebg-secure-boot-secrets_0.1.bb | 52 +++++++++++
.../ebg-secure-boot-secrets/files/README.md | 1 +
.../files/control.tmpl | 12 +++
.../files/sign_secure_image.sh.tmpl | 22 +++++
.../initramfs-config/files/postinst.ext | 3 +
.../initramfs-config/files/postinst.tmpl | 31 -------
.../initramfs-config_0.1-cip.bb | 7 +-
...enerate-sb-db-from-existing-certificate.sh | 16 ++++
scripts/generate_secure_boot_keys.sh | 51 +++++++++++
.../wic/plugins/source/efibootguard-boot.py | 87 +++++++++++++++++--
.../wic/plugins/source/efibootguard-efi.py | 40 ++++++++-
scripts/start-efishell.sh | 12 +++
start-qemu.sh | 54 +++++++++---
wic/ebg-signed-bootloader.inc | 2 +
wic/qemu-amd64-efibootguard.wks | 11 ++-
17 files changed, 372 insertions(+), 61 deletions(-)
create mode 100644 kas/opt/ebg-secure-boot-base.yml
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
create mode 100644 recipes-support/initramfs-config/files/postinst.ext
delete mode 100644 recipes-support/initramfs-config/files/postinst.tmpl
create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
create mode 100755 scripts/generate_secure_boot_keys.sh
create mode 100755 scripts/start-efishell.sh
create mode 100644 wic/ebg-signed-bootloader.inc
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
new file mode 100644
index 0000000..661ff23
--- /dev/null
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -0,0 +1,30 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+header:
+ version: 8
+
+local_conf_header:
+ initramfs: |
+ IMAGE_INSTALL += "initramfs-config"
+
+ efibootguard: |
+ IMAGE_INSTALL += "efibootguard"
+ WDOG_TIMEOUT = "0"
+ WICVARS += "WDOG_TIMEOUT"
+
+ swupdate: |
+ IMAGE_INSTALL += "swupdate"
+ PREFERRED_PROVIDER_swupdate = "swupdate-luahandler"
+ BOOTLOADER = "efibootguard"
+
+ # needed as long as dependencies are not included in ebsy
+ debian-upstream: |
+ DISTRO_APT_SOURCES_append = " conf/distro/debian-${BASE_DISTRO_CODENAME}.list"
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index 9ee4b25..79ba308 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -10,7 +10,7 @@
#
inherit image
-
+inherit image_uuid
ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'"
DESCRIPTION = "CIP Core image"
diff --git a/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
new file mode 100644
index 0000000..94a79e6
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
@@ -0,0 +1,52 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Add user defined secureboot certifcates to the buildchroot and the script to \
+ sign an image with the given keys"
+
+# variables
+SB_CERT_PATH = "/usr/share/ebg-secure-boot"
+SB_CERTDB ??= "democertdb"
+SB_VERIFY_CERT ??= "demoDB.crt"
+SB_KEY_NAME ??= "demoDB"
+
+# used to sign the image
+DEBIAN_DEPENDS = "pesign, sbsigntool"
+
+# this package cannot be install together with:
+DEBIAN_CONFLICTS = "ebg-secure-boot-snakeoil"
+
+SRC_URI = " \
+ file://${SB_CERTDB} \
+ file://${SB_VERIFY_CERT} \
+ file://sign_secure_image.sh.tmpl \
+ file://control.tmpl"
+
+TEMPLATE_FILES = "sign_secure_image.sh.tmpl"
+TEMPLATE_VARS += "SB_CERT_PATH SB_CERTDB SB_VERIFY_CERT SB_KEY_NAME"
+
+TEMPLATE_FILES += "control.tmpl"
+TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
+
+do_install() {
+ TARGET=${D}${SB_CERT_PATH}
+ install -m 0700 -d ${TARGET}
+ cp -a ${WORKDIR}/${SB_CERTDB} ${TARGET}/${SB_CERTDB}
+ chmod 700 ${TARGET}/${SB_CERTDB}
+ install -m 0600 ${WORKDIR}/${SB_VERIFY_CERT} ${TARGET}/${SB_VERIFY_CERT}
+ TARGET=${D}/usr/bin
+ install -d ${TARGET}
+ install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
+}
+
+addtask do_install after do_transform_template
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/README.md b/recipes-devtools/ebg-secure-boot-secrets/files/README.md
new file mode 100644
index 0000000..c739c51
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/files/README.md
@@ -0,0 +1 @@
+For a secure boot image this directory needs to contain the certdb directory and the db.crt file.
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
new file mode 100644
index 0000000..8361a49
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
@@ -0,0 +1,12 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: ${MAINTAINER}
+Build-Depends: debhelper (>= 9)
+
+Package: ${PN}
+Architecture: ${DPKG_ARCH}
+Depends: ${DEBIAN_DEPENDS}
+Description: ${DESCRIPTION}
+Conflicts: ${DEBIAN_CONFLICTS}
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
new file mode 100644
index 0000000..e84fd4c
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+set -x
+signee=$1
+signed=$2
+
+usage(){
+ echo "sign with debian snakeoil"
+ echo "$0 signee signed"
+ echo "signee: path to the image to be signed"
+ echo "signed: path to store the signed image"
+}
+
+
+if [ -z "$signee" ] || [ -z "$signed" ]; then
+ usage
+ exit 1
+fi
+
+pesign --force --verbose --padding -n ${SB_CERT_PATH}/${SB_CERTDB} -c "${SB_KEY_NAME}" -s -i $signee -o $signed
+sbverify --cert ${SB_CERT_PATH}/${SB_VERIFY_CERT} $signed
+exit 0
diff --git a/recipes-support/initramfs-config/files/postinst.ext b/recipes-support/initramfs-config/files/postinst.ext
new file mode 100644
index 0000000..cdafa74
--- /dev/null
+++ b/recipes-support/initramfs-config/files/postinst.ext
@@ -0,0 +1,3 @@
+if [ -d /usr/share/secureboot ]; then
+ patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
+fi
diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl
deleted file mode 100644
index 008f68d..0000000
--- a/recipes-support/initramfs-config/files/postinst.tmpl
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/sh
-if [ -d /usr/share/secureboot ]; then
- patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
-fi
-
-INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
-if [ -f ${INITRAMFS_CONF} ]; then
- sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF}
- if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then
- sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF}
- else
- sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF}
- fi
-fi
-
-MODULES_LIST_FILE=/etc/initramfs-tools/modules
-if [ -f ${MODULES_LIST_FILE} ]; then
- for modname in ${INITRAMFS_MODULE_LIST}; do
- if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then
- echo "$modname" >> "${MODULES_LIST_FILE}"
- fi
- done
-fi
-
-update-initramfs -v -u
diff --git a/recipes-support/initramfs-config/initramfs-config_0.1-cip.bb b/recipes-support/initramfs-config/initramfs-config_0.1-cip.bb
index ba1c898..3c8252f 100644
--- a/recipes-support/initramfs-config/initramfs-config_0.1-cip.bb
+++ b/recipes-support/initramfs-config/initramfs-config_0.1-cip.bb
@@ -14,7 +14,8 @@ FILESPATH =. "${LAYERDIR_isar-siemens}/recipes-support/initramfs-config/files:"
DEBIAN_DEPENDS += ", busybox, patch"
-SRC_URI += "file://initramfs.lsblk.hook \
+SRC_URI += "file://postinst.ext \
+ file://initramfs.lsblk.hook \
file://initramfs.image_uuid.hook \
file://secure-boot-debian-local-patch"
@@ -25,7 +26,9 @@ do_install() {
TARGET=${D}/usr/share/secureboot
install -m 0755 -d ${TARGET}
install -m 0644 ${WORKDIR}/secure-boot-debian-local-patch ${TARGET}/secure-boot-debian-local.patch
-
+ sed -i -e 's/exit 0//' ${WORKDIR}/postinst
+ cat ${WORKDIR}/postinst.ext >> ${WORKDIR}/postinst
+ echo "exit 0" >> ${WORKDIR}/postinst
# add hooks for secure boot
HOOKS=${D}/etc/initramfs-tools/hooks
install -m 0755 -d ${HOOKS}
diff --git a/scripts/generate-sb-db-from-existing-certificate.sh b/scripts/generate-sb-db-from-existing-certificate.sh
new file mode 100755
index 0000000..035f189
--- /dev/null
+++ b/scripts/generate-sb-db-from-existing-certificate.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+name=${SB_NAME:-snakeoil}
+keydir=${SB_KEYDIR:-./keys}
+if [ ! -d ${keydir} ]; then
+ mkdir -p ${keydir}
+fi
+inkey=${INKEY:-/usr/share/ovmf/PkKek-1-snakeoil.key}
+incert=${INCERT:-/usr/share/ovmf/PkKek-1-snakeoil.pem}
+nick_name=${IN_NICK:-snakeoil}
+TMP=$(mktemp -d)
+mkdir -p ${keydir}/${name}certdb
+certutil -N --empty-password -d ${keydir}/${name}certdb
+openssl pkcs12 -export -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name
+pk12util -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb
+cp $incert ${keydir}/$(basename $incert)
+rm -rf $TMP
diff --git a/scripts/generate_secure_boot_keys.sh b/scripts/generate_secure_boot_keys.sh
new file mode 100755
index 0000000..8d3f8c0
--- /dev/null
+++ b/scripts/generate_secure_boot_keys.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+name=${SB_NAME:-demo}
+keydir=${SB_KEYDIR:-./keys}
+if [ ! -d ${keydir} ]; then
+ mkdir -p ${keydir}
+fi
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}PK/" -outform PEM \
+ -keyout ${keydir}/${name}PK.key -out ${keydir}/${name}PK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}KEK/" -outform PEM \
+ -keyout ${keydir}/${name}KEK.key -out ${keydir}/${name}KEK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}DB/" -outform PEM \
+ -keyout ${keydir}/${name}DB.key -out ${keydir}/${name}DB.crt -days 3650 -nodes -sha256
+openssl x509 -in ${keydir}/${name}PK.crt -out ${keydir}/${name}PK.cer -outform DER
+openssl x509 -in ${keydir}/${name}KEK.crt -out ${keydir}/${name}KEK.cer -outform DER
+openssl x509 -in ${keydir}/${name}DB.crt -out ${keydir}/${name}DB.cer -outform DER
+
+openssl pkcs12 -export -out ${keydir}/${name}DB.p12 \
+ -in ${keydir}/${name}DB.crt -inkey ${keydir}/${name}DB.key -passout pass:
+
+GUID=$(uuidgen --random)
+echo $GUID > ${keydir}/${name}GUID
+
+cert-to-efi-sig-list -g $GUID ${keydir}/${name}PK.crt ${keydir}/${name}PK.esl
+cert-to-efi-sig-list -g $GUID ${keydir}/${name}KEK.crt ${keydir}/${name}KEK.esl
+cert-to-efi-sig-list -g $GUID ${keydir}/${name}DB.crt ${keydir}/${name}DB.esl
+rm -f ${keydir}/${name}noPK.esl
+touch ${keydir}/${name}noPK.esl
+
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ PK ${keydir}/${name}PK.esl ${keydir}/${name}PK.auth
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ PK ${keydir}/${name}noPK.esl ${keydir}/${name}noPK.auth
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ KEK ${keydir}/${name}KEK.esl ${keydir}/${name}KEK.auth
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ DB ${keydir}/${name}DB.esl ${keydir}/${name}DB.auth
+
+chmod 0600 ${keydir}/${name}*.key
+mkdir -p ${keydir}/${name}certdb
+certutil -N --empty-password -d ${keydir}/${name}certdb
+
+certutil -A -n 'PK' -d ${keydir}/${name}certdb -t CT,CT,CT -i ${keydir}/${name}PK.crt
+pk12util -W "" -d ${keydir}/${name}certdb -i ${keydir}/${name}DB.p12
+certutil -d ${keydir}/${name}certdb -A -i ${keydir}/${name}DB.crt -n "" -t u
+
+certutil -d ${keydir}/${name}certdb -K
+certutil -d ${keydir}/${name}certdb -L
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 38d2b2e..d291f75 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -80,17 +80,29 @@ class EfibootguardBootPlugin(SourcePlugin):
boot_files = source_params.get("files", "").split(' ')
+ uefi_kernel = source_params.get("unified-kernel")
cmdline = bootloader.append
- root_dev = source_params.get("root", None)
- if not root_dev:
- msger.error("Specify root in source params")
- exit(1)
+ if uefi_kernel:
+ boot_image = cls._create_unified_kernel_image(rootfs_dir,
+ cr_workdir,
+ cmdline,
+ uefi_kernel,
+ deploy_dir,
+ kernel_image,
+ initrd_image,
+ source_params)
+ boot_files.append(boot_image)
+ else:
+ root_dev = source_params.get("root", None)
+ if not root_dev:
+ msger.error("Specify root in source params")
+ exit(1)
root_dev = root_dev.replace(":", "=")
- cmdline += " root=%s rw" % root_dev
- boot_files.append(kernel_image)
- boot_files.append(initrd_image)
- cmdline += "initrd=%s" % initrd_image if initrd_image else ""
+ cmdline += " root=%s rw" % root_dev
+ boot_files.append(kernel_image)
+ boot_files.append(initrd_image)
+ cmdline += "initrd=%s" % initrd_image if initrd_image else ""
part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
part.label, part.lineno)
@@ -160,3 +172,62 @@ class EfibootguardBootPlugin(SourcePlugin):
part.size = bootimg_size
part.source_file = bootimg
+
+ @classmethod
+ def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline,
+ uefi_kernel, deploy_dir, kernel_image,
+ initrd_image, source_params):
+ rootfs_path = rootfs_dir.get('ROOTFS_DIR')
+ os_release_file = "{root}/etc/os-release".format(root=rootfs_path)
+ efistub = "{rootfs_path}/usr/lib/systemd/boot/efi/linuxx64.efi.stub"\
+ .format(rootfs_path=rootfs_path)
+ msger.debug("osrelease path: %s", os_release_file)
+ kernel_cmdline_file = "{cr_workdir}/kernel-command-line-file.txt"\
+ .format(cr_workdir=cr_workdir)
+ with open(kernel_cmdline_file, "w") as cmd_fd:
+ cmd_fd.write(cmdline)
+ uefi_kernel_name = "linux.efi"
+ uefi_kernel_file = "{deploy_dir}/{uefi_kernel_name}"\
+ .format(deploy_dir=deploy_dir, uefi_kernel_name=uefi_kernel_name)
+ kernel = "{deploy_dir}/{kernel_image}"\
+ .format(deploy_dir=deploy_dir, kernel_image=kernel_image)
+ initrd = "{deploy_dir}/{initrd_image}"\
+ .format(deploy_dir=deploy_dir, initrd_image=initrd_image)
+ objcopy_cmd = 'objcopy \
+ --add-section .osrel={os_release_file} \
+ --change-section-vma .osrel=0x20000 \
+ --add-section .cmdline={kernel_cmdline_file} \
+ --change-section-vma .cmdline=0x30000 \
+ --add-section .linux={kernel} \
+ --change-section-vma .linux=0x2000000 \
+ --add-section .initrd={initrd} \
+ --change-section-vma .initrd=0x3000000 \
+ {efistub} {uefi_kernel_file}'.format(
+ os_release_file=os_release_file,
+ kernel_cmdline_file=kernel_cmdline_file,
+ kernel=kernel,
+ initrd=initrd,
+ efistub=efistub,
+ uefi_kernel_file=uefi_kernel_file)
+ exec_cmd(objcopy_cmd)
+
+ return cls._sign_file(name=uefi_kernel_name,
+ signee=uefi_kernel_file,
+ deploy_dir=deploy_dir,
+ source_params=source_params)
+
+ @classmethod
+ def _sign_file(cls, name, signee, deploy_dir, source_params):
+ sign_script = source_params.get("signwith")
+ if sign_script and os.path.exists(sign_script):
+ msger.info("sign with script %s", sign_script)
+ name = name.replace(".efi", ".signed.efi")
+ sign_cmd = "{sign_script} {signee} {deploy_dir}/{name}"\
+ .format(sign_script=sign_script, signee=signee,
+ deploy_dir=deploy_dir, name=name)
+ exec_cmd(sign_cmd)
+ elif sign_script and not os.path.exists(sign_script):
+ msger.error("Could not find script %s", sign_script)
+ exit(1)
+
+ return name
diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
index 5ee451f..6647212 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-efi.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
@@ -64,10 +64,17 @@ class EfibootguardEFIPlugin(SourcePlugin):
exec_cmd(create_dir_cmd)
for bootloader in bootloader_files:
- cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (deploy_dir,
- bootloader,
- part_rootfs_dir,
- bootloader)
+ signed_bootloader = cls._sign_file(bootloader,
+ "{}/{}".format(deploy_dir,
+ bootloader
+ ),
+ cr_workdir,
+ source_params)
+ # important the bootloader in deploy_dir is no longer signed
+ cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir,
+ signed_bootloader,
+ part_rootfs_dir,
+ bootloader)
exec_cmd(cp_cmd, True)
du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
blocks = int(exec_cmd(du_cmd).split()[0])
@@ -100,3 +107,28 @@ class EfibootguardEFIPlugin(SourcePlugin):
part.size = efi_part_image_size
part.source_file = efi_part_image
+
+
+ @classmethod
+ def _sign_file(cls, name, signee, cr_workdir, source_params):
+ sign_script = source_params.get("signwith")
+ if sign_script and os.path.exists(sign_script):
+ work_name = name.replace(".efi", ".signed.efi")
+ sign_cmd = "{sign_script} {signee} \
+ {cr_workdir}/{work_name}".format(sign_script=sign_script,
+ signee=signee,
+ cr_workdir=cr_workdir,
+ work_name=work_name)
+ exec_cmd(sign_cmd)
+ elif sign_script and not os.path.exists(sign_script):
+ msger.error("Could not find script %s", sign_script)
+ exit(1)
+ else:
+ # if we do nothing copy the signee to the work directory
+ work_name = name
+ cp_cmd = "cp {signee} {cr_workdir}/{work_name}".format(
+ signee=signee,
+ cr_workdir=cr_workdir,
+ work_name=work_name)
+ exec_cmd(cp_cmd)
+ return work_name
diff --git a/scripts/start-efishell.sh b/scripts/start-efishell.sh
new file mode 100755
index 0000000..3c56ebc
--- /dev/null
+++ b/scripts/start-efishell.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
+ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
+DISK=$1
+qemu-system-x86_64 -enable-kvm -M q35 \
+ -cpu host,hv_relaxed,hv_vapic,hv-spinlocks=0xfff -smp 2 -m 2G -no-hpet \
+ -global ICH9-LPC.disable_s3=1 \
+ -global isa-fdc.driveA= \
+ -boot menu=on \
+ -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
+ -drive if=pflash,format=raw,file=${ovmf_vars} \
+ -drive file=fat:rw:$DISK
diff --git a/start-qemu.sh b/start-qemu.sh
index 49f0266..74d1b54 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -15,6 +15,8 @@ usage()
echo "Usage: $0 ARCHITECTURE [QEMU_OPTIONS]"
echo -e "\nSet QEMU_PATH environment variable to use a locally " \
"built QEMU version"
+ echo -e "\nSet SECURE_BOOT environment variable to boot a secure boot environment " \
+ "This environment also needs the variables OVMF_VARS and OVMF_CODE set"
exit 1
}
@@ -22,17 +24,25 @@ if [ -n "${QEMU_PATH}" ]; then
QEMU_PATH="${QEMU_PATH}/"
fi
+if [ -z "${DISTRO_RELEASE}" ]; then
+ DISTRO_RELEASE="buster"
+fi
+if [ -z "${TARGET_IMAGE}" ];then
+ TARGET_IMAGE="cip-core-image"
+fi
+
case "$1" in
x86|x86_64|amd64)
DISTRO_ARCH=amd64
QEMU=qemu-system-x86_64
QEMU_EXTRA_ARGS=" \
- -cpu host -smp 4 \
- -enable-kvm -machine q35 \
+ -cpu qemu64 \
+ -smp 4 \
+ -machine q35,accel=kvm:tcg \
-device ide-hd,drive=disk \
-device virtio-net-pci,netdev=net"
KERNEL_CMDLINE=" \
- root=/dev/sda vga=0x305 console=ttyS0"
+ root=/dev/sda vga=0x305"
;;
arm64|aarch64)
DISTRO_ARCH=arm64
@@ -71,21 +81,41 @@ case "$1" in
;;
esac
-if [ -z "${DISTRO_RELEASE}" ]; then
- DISTRO_RELEASE="buster"
-fi
-
-IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/cip-core-image-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
-IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
+IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
if [ -z "${DISPLAY}" ]; then
QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} -nographic"
+ case "$1" in
+ x86|x86_64|amd64)
+ KERNEL_CMDLINE="${KERNEL_CMDLINE} console=ttyS0"
+ esac
+fi
+
+
+
+if [ -n "SECURE_BOOT" ]; then
+ ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
+ ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
+ QEMU_EXTRA_ARGS=" \
+ ${QEMU_EXTRA_ARGS} \
+ -global ICH9-LPC.disable_s3=1 \
+ -global isa-fdc.driveA= \
+ "
+ BOOT_FILES="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
+ -drive if=pflash,format=raw,file=${ovmf_vars} \
+ -drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw"
+else
+ IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
+
+ KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinuz* | tail -1)
+ INITRD_FILE=$(ls ${IMAGE_PREFIX}-initrd.img* | tail -1)
+
+ BOOT_FILES=-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
+ -initrd ${INITRD_FILE}
fi
shift 1
${QEMU_PATH}${QEMU} \
- -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
-m 1G -serial mon:stdio -netdev user,id=net \
- -kernel ${IMAGE_PREFIX}-vmlinuz -append "${KERNEL_CMDLINE}" \
- -initrd ${IMAGE_PREFIX}-initrd.img ${QEMU_EXTRA_ARGS} "$@"
+ ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@"
diff --git a/wic/ebg-signed-bootloader.inc b/wic/ebg-signed-bootloader.inc
new file mode 100644
index 0000000..667e014
--- /dev/null
+++ b/wic/ebg-signed-bootloader.inc
@@ -0,0 +1,2 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks
index 74446d3..06e2c85 100644
--- a/wic/qemu-amd64-efibootguard.wks
+++ b/wic/qemu-amd64-efibootguard.wks
@@ -1,5 +1,10 @@
-# short-description: Simatic-ipc227e with EFI Boot Guard and SWUpdate
-# long-description: Disk image for Simatic-ipc227e with EFI Boot Guard and SWUpdate
+# short-description: qemu-amd64 with EFI Boot Guard, secure boot and SWUpdate
+# long-description: Disk image for qemu-amd64 with EFI Boot Guard, secure boot and SWUpdate
+
+include ebg-signed-bootloader.inc
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-include ebg-sysparts.inc
include swupdate-partition.inc
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4827): https://lists.cip-project.org/g/cip-dev/message/4827
Mute This Topic: https://lists.cip-project.org/mt/75103453/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core RFC 5/7] secure-boot: Add Debian snakeoil keys for ease-of-use
2020-06-25 14:10 [cip-dev] [isar-cip-core RFC 0/7] secureboot with efibootguard Quirin Gylstorff
` (3 preceding siblings ...)
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 4/7] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
@ 2020-06-25 14:10 ` Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 6/7] swupdate: Add luahandler for secureboot Quirin Gylstorff
` (2 subsequent siblings)
7 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-25 14:10 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 8258 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Use the Debian snakeoil keys to have a demo case available without
the OVMF setup. Copy the used keys from the build to the deploy
directory to allow usage in non-Debian distributions.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
conf/distro/debian-buster-backports.list | 1 +
conf/distro/preferences.ovmf-snakeoil.conf | 3 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 31 ++++++++++++++++
.../ebg-secure-boot-snakeoil_0.1.bb | 35 ++++++++++++++++++
.../files/control.tmpl | 12 +++++++
.../files/sign_secure_image.sh | 36 +++++++++++++++++++
.../ovmf-binaries/files/control.tmpl | 11 ++++++
.../ovmf-binaries/ovmf-binaries_0.1.bb | 30 ++++++++++++++++
start-qemu.sh | 4 +--
9 files changed, 161 insertions(+), 2 deletions(-)
create mode 100644 conf/distro/debian-buster-backports.list
create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf
create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl
create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
diff --git a/conf/distro/debian-buster-backports.list b/conf/distro/debian-buster-backports.list
new file mode 100644
index 0000000..f2dd104
--- /dev/null
+++ b/conf/distro/debian-buster-backports.list
@@ -0,0 +1 @@
+deb http://ftp.us.debian.org/debian buster-backports main contrib non-free
diff --git a/conf/distro/preferences.ovmf-snakeoil.conf b/conf/distro/preferences.ovmf-snakeoil.conf
new file mode 100644
index 0000000..b51d1d4
--- /dev/null
+++ b/conf/distro/preferences.ovmf-snakeoil.conf
@@ -0,0 +1,3 @@
+Package: ovmf
+Pin: release n=buster-backports
+Pin-Priority: 801
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
new file mode 100644
index 0000000..1cc483c
--- /dev/null
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -0,0 +1,31 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+ includes:
+ - ebg-secure-boot-base.yml
+
+local_conf_header:
+ secure-boot: |
+ # avoid warning of ebg-secure-boot-secrets recipe
+ SB_CERTDB = "/dev/null"
+ SB_VERIFY_CERT = "/dev/null"
+ SB_KEY_NAME = "/dev/null"
+
+ # Add snakeoil and ovmf binaries for qemu
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
+ IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
+
+ ovmf: |
+ # snakeoil certs are only part of backports
+ DISTRO_APT_SOURCES_append = " conf/distro/debian-buster-backports.list"
+ DISTRO_APT_PREFERENCES_append = " conf/distro/preferences.ovmf-snakeoil.conf"
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
new file mode 100644
index 0000000..89abbcf
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
@@ -0,0 +1,35 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Add script to sign for secure boot with the debian snakeoil keys"
+# used to sign the image
+DEBIAN_DEPENDS = "pesign, sbsigntool, ovmf, openssl, libnss3-tools"
+
+
+# this package cannot be install together with:
+DEBIAN_CONFLICTS = "ebg-secure-boot-secrets"
+
+SRC_URI = "file://sign_secure_image.sh \
+ file://control.tmpl"
+
+TEMPLATE_FILES = "control.tmpl"
+TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
+
+do_install() {
+ TARGET=${D}/usr/bin
+ install -d ${TARGET}
+ install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
+}
+
+addtask do_install after do_transform_template
+
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
new file mode 100644
index 0000000..8361a49
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
@@ -0,0 +1,12 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: ${MAINTAINER}
+Build-Depends: debhelper (>= 9)
+
+Package: ${PN}
+Architecture: ${DPKG_ARCH}
+Depends: ${DEBIAN_DEPENDS}
+Description: ${DESCRIPTION}
+Conflicts: ${DEBIAN_CONFLICTS}
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
new file mode 100644
index 0000000..081dbe9
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+set -e
+set -x
+signee=$1
+signed=$2
+
+usage(){
+ echo "sign with debian snakeoil"
+ echo "$0 signee signed"
+ echo "signee: path to the image to be signed"
+ echo "signed: path to store the signed image"
+}
+
+
+if [ -z "$signee" ] || [ -z "$signed" ]; then
+ usage
+ exit 1
+fi
+
+name=snakeoil
+keydir=$(mktemp -d)
+inkey=/usr/share/ovmf/PkKek-1-snakeoil.key
+incert=/usr/share/ovmf/PkKek-1-snakeoil.pem
+nick_name=snakeoil
+TMP=$(mktemp -d)
+mkdir -p ${keydir}/${name}certdb
+certutil -N --empty-password -d ${keydir}/${name}certdb
+openssl pkcs12 -export -passin pass:"snakeoil" -passout pass: -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name
+pk12util -W "" -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb
+cp $incert ${keydir}/$(basename $incert)
+rm -rf $TMP
+
+pesign --force --verbose --padding -n ${keydir}/${name}certdb -c "$nick_name" -s -i $signee -o $signed
+sbverify --cert $incert $signed
+rm -rf $keydir
+exit 0
diff --git a/recipes-devtools/ovmf-binaries/files/control.tmpl b/recipes-devtools/ovmf-binaries/files/control.tmpl
new file mode 100644
index 0000000..54641d6
--- /dev/null
+++ b/recipes-devtools/ovmf-binaries/files/control.tmpl
@@ -0,0 +1,11 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: ${MAINTAINER}
+Build-Depends: debhelper (>= 9), ${DEBIAN_BUILD_DEPENDS}
+
+Package: ${PN}
+Architecture: ${DPKG_ARCH}
+Depends: ${DEBIAN_DEPENDS}
+Description: ${DESCRIPTION}
diff --git a/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb b/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
new file mode 100644
index 0000000..025b970
--- /dev/null
+++ b/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
@@ -0,0 +1,30 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Copy the OVMF biniaries from the build changeroot to the deploy dir"
+
+# this is a empty debian package
+SRC_URI = "file://control.tmpl"
+
+DEBIAN_BUILD_DEPENDS = "ovmf"
+TEMPLATE_FILES = "control.tmpl"
+TEMPLATE_VARS += "PN DEBIAN_DEPENDS MAINTAINER DESCRIPTION DPKG_ARCH DEBIAN_BUILD_DEPENDS"
+
+
+do_extract_ovmf() {
+ install -m 0755 -d ${DEPLOY_DIR_IMAGE}
+ cp -r ${BUILDCHROOT_DIR}/usr/share/OVMF ${DEPLOY_DIR_IMAGE}
+ chown $(id -u):$(id -g) ${DEPLOY_DIR_IMAGE}/OVMF
+}
+
+addtask do_extract_ovmf after do_install_builddeps before do_dpkg_build
diff --git a/start-qemu.sh b/start-qemu.sh
index 74d1b54..3a3b2f7 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -94,8 +94,8 @@ fi
if [ -n "SECURE_BOOT" ]; then
- ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
- ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
+ ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd}
+ ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS.snakeoil.fd}
QEMU_EXTRA_ARGS=" \
${QEMU_EXTRA_ARGS} \
-global ICH9-LPC.disable_s3=1 \
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4826): https://lists.cip-project.org/g/cip-dev/message/4826
Mute This Topic: https://lists.cip-project.org/mt/75103452/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core RFC 6/7] swupdate: Add luahandler for secureboot
2020-06-25 14:10 [cip-dev] [isar-cip-core RFC 0/7] secureboot with efibootguard Quirin Gylstorff
` (4 preceding siblings ...)
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 5/7] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
@ 2020-06-25 14:10 ` Quirin Gylstorff
2020-06-29 8:14 ` Jan Kiszka
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 7/7] doc: Add README " Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 0/6] secureboot with efibootguard Quirin Gylstorff
7 siblings, 1 reply; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-25 14:10 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 1052 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-core/swupdate/files/swupdate_handlers.lua | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/recipes-core/swupdate/files/swupdate_handlers.lua b/recipes-core/swupdate/files/swupdate_handlers.lua
index c9b9962..f2ecc54 100644
--- a/recipes-core/swupdate/files/swupdate_handlers.lua
+++ b/recipes-core/swupdate/files/swupdate_handlers.lua
@@ -311,8 +311,12 @@ function handler_roundrobin(image)
if rootparam and rootdevice then break end
end
if not rootdevice then
- swupdate.error("Cannot determine current root device.")
- return 1
+ -- Use findmnt to get the rootdev
+ rootdevice = io.popen('findmnt -nl / -o PARTUUID'):read("*l")
+ if not rootdevice then
+ swupdate.error("Cannot determine current root device.")
+ return 1
+ end
end
swupdate.info(string.format("Current root device is: %s", rootdevice))
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4828): https://lists.cip-project.org/g/cip-dev/message/4828
Mute This Topic: https://lists.cip-project.org/mt/75103454/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core RFC 7/7] doc: Add README for secureboot
2020-06-25 14:10 [cip-dev] [isar-cip-core RFC 0/7] secureboot with efibootguard Quirin Gylstorff
` (5 preceding siblings ...)
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 6/7] swupdate: Add luahandler for secureboot Quirin Gylstorff
@ 2020-06-25 14:10 ` Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 0/6] secureboot with efibootguard Quirin Gylstorff
7 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-25 14:10 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 8253 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
doc/README.secureboot.md | 188 +++++++++++++++++++++++++++++++++++++++
kas/opt/qemu-wic.yml | 14 +++
2 files changed, 202 insertions(+)
create mode 100644 doc/README.secureboot.md
create mode 100644 kas/opt/qemu-wic.yml
diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
new file mode 100644
index 0000000..3cd76af
--- /dev/null
+++ b/doc/README.secureboot.md
@@ -0,0 +1,188 @@
+# Efibootguard Secure boot
+
+This document describes how to generate a secure boot capable image with
+[efibootguard](https://github.com/siemens/efibootguard).
+
+## Description
+
+The image build signs the efibootguard bootloader (bootx64.efi) and generates
+a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
+A unified kernel image packs the kernel, initramfs and the kernel command-line
+in one binary object. As the kernel command-line is immutable after the build
+process, the previous selection of the root file system with a command-line parameter is no longer
+possible. Therefore the selection of the root file-system occurs now in the initramfs.
+
+The image uses an A/B partition layout to update the root file system. The sample implementation to
+select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs.
+During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs.
+If a match is found the rootfs is used for the boot.
+
+## Adaptation for Images
+
+### WIC
+The following elements must be present in a wks file to create a secure boot capable image.
+
+```
+part --source efibootguard-efi --sourceparams "signwith=<script or executable to sign the image>"
+part --source efibootguard-boot --sourceparams "uefikernel=<name of the unified kernel>,signwith=<script or executable to sign the image>"
+```
+
+#### Script or executable to sign the image
+
+The wic plugins for the [bootloader](./scripts/lib/wic/plugins/source/efibootguard-efi.py)
+and [boot partition](./scripts/lib/wic/plugins/source/efibootguard-boot.py) require an
+executable or script with the following interface:
+```
+<script_name> <inputfile> <outputfile>
+```
+- script name: name and path of the script added with
+`--sourceparams "signwith=/usr/bin/sign_secure_image.sh"` to the wic image
+- inputfile: path and name of the file to be signed
+- outputfile: path and name of the signed input
+
+Supply the script name and path to wic by adding
+`signwith=<path and name of the script to sign>"` to sourceparams of the partition.
+
+
+### Existing packages to sign an image
+
+#### ebg-secure-boot-snakeoil
+
+This package uses the snakeoil key and certificate from the ovmf package(0.0~20200229-2)
+backported from Debian bullseye and signs the image.
+
+#### ebg-secure-boot-secrets
+This package takes a user-generated certificate and adds it to the build system.
+The following variable and steps are necessary to build a secure boot capable image:
+- Set certification information to sign and verify the image with:
+ - SB_CERTDB: The directory containing the certificate database create with certutil
+ - SB_VERIFY_CERT: The certificate to verify the signing process
+ - SB_KEY_NAME: Name of the key in the certificate database
+- if necessary change the script to select the boot partition after an update
+ - recipes-support/initramfs-config/files/initramfs.selectrootfs.script
+
+The files referred by SB_CERTDB and SB_VERIFY_CERT must be store in `recipes-devtools/ebg-secure-boot-secrets/files/`
+
+## QEMU
+
+Set up a secure boot test environment with [QEMU](https://www.qemu.org/)
+
+### Prerequisites
+
+- OVMF from edk2 release edk2-stable201911 or newer
+ - This documentation was tested under Debian 10 with OVMF (0.0~20200229-2) backported from Debian
+ bullseye
+- efitools for KeyTool.efi
+ - This documentation was tested under Debian 10 with efitools (1.9.2-1) backported from Debian bullseye
+- libnss3-tools
+
+### Debian Snakeoil keys
+
+The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images/<machine>/OVMF. Y
+u can use them as described in section [Start Image](### Start the image).
+
+### Generate Keys
+
+#### Reuse exiting keys
+
+It is possible to use exiting keys like /usr/share/ovmf/PkKek-1-snakeoil.pem' from Debian
+by executing the script `scripts/generate-sb-db-from-existing-certificate.sh`, e.g.:
+```
+export SB_NAME=<name for the secureboot config>
+export SB_KEYDIR=<location to store the database>
+export INKEY=<secret key of the certificate>
+export INCERT=<certificate>
+export INNICK=<name of the certificate in the database>
+scripts/generate-sb-db-from-existing-certificate.sh
+```
+This will create the directory `SB_KEYDIR` and will store the `${SB_NAME}certdb` with the given name.
+
+Copy the used certificate and database to `recipes-devtools/ebg-secure-boot-secrets/files/`
+
+#### Generate keys
+
+To generate the necessary keys and information to test secure-boot with QEMU
+execute the script `scripts/generate_secure_boot_keys.sh`
+
+##### Add Keys to OVMF
+1. Create a folder and copy the generated keys and KeyTool.efi
+(in Debian the file can be found at: /lib/efitools/x86_64-linux-gnu/KeyTool.efi) to the folder
+```
+mkdir secureboot-tools
+cp -r keys secureboot-tools
+cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi secureboot-tools
+```
+2. Copy the file OVMF_VARS.fd (in Debian the file can be found at /usr/share/OVMF/OVMF_VARS.fd)
+to the current directory. OVMF_VARS.fd contains no keys can be instrumented for secureboot.
+3. Start QEMU with the script scripts/start-efishell.sh
+```
+scripts/start-efishell.sh secureboot-tools
+```
+4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+ -> "Edit Keys"
+ -> "The Allowed Signatures Database (db)"
+ -> "Add New Key"
+ -> Change/Confirm device
+ -> Select "DB.esl" file
+ -> "The Key Exchange Key Database (KEK)"
+ -> "Add New Key"
+ -> Change/Confirm device
+ -> Select "KEK.esl" file
+ -> "The Platform Key (PK)
+ -> "Replace Key(s)"
+ -> Change/Confirm device
+ -> Select "PK.auth" file
+5. quit QEMU
+
+### Build image
+
+Build the image with a signed efibootguard and unified kernel image
+with the snakeoil keys by executing:
+```
+kas-docker --isar build kas/cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-secure-boot-snakeoil.yml
+```
+
+For user-generated keys, create a new option file. This option file could look like this:
+```
+header:
+ version: 8
+ includes:
+ - opt/ebg-swu.yml
+ - opt/ebg-secure-boot-initramfs.yml
+
+local_conf_header:
+ secure-boot: |
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
+ IMAGER_INSTALL += "ebg-secure-boot-secrets"
+ user-keys:
+ SB_CERTDB = "democertdb"
+ SB_VERIFY_CERT = "demo.crt"
+ SB_KEY_NAME = "demo"
+```
+
+Replace `demo` with the name of the user-generated certificates.
+
+### Start the image
+
+#### Debian snakeoil
+
+Start the image with the following command:
+```
+SECURE_BOOT=y \
+./start-qemu.sh amd64
+```
+
+The default `OVMF_VARS.snakeoil.fd` boot to the EFI shell. To boot Linux enter the following command:
+```
+FS0:\EFI\BOOT\bootx64.efi
+```
+To change the boot behavior, enter `exit` in the shell to enter the bios and change the boot order.
+
+#### User-generated keys
+Start the image with the following command:
+```
+SECURE_BOOT=y \
+OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd \
+OVMF_VARS=<path to the modified OVMF_VARS.fd> \
+./start-qemu.sh amd64
+```
diff --git a/kas/opt/qemu-wic.yml b/kas/opt/qemu-wic.yml
new file mode 100644
index 0000000..3489183
--- /dev/null
+++ b/kas/opt/qemu-wic.yml
@@ -0,0 +1,14 @@
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Licensed under the Siemens Inner Source License 1.2, or at your option any
+# later version.
+#
+
+header:
+ version: 8
+
+local_conf_header:
+ qemu-wic: |
+ IMAGE_TYPE ?= "wic-img"
+ WKS_FILE = "qemu-amd64-${BOOTLOADER}.wks"
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4829): https://lists.cip-project.org/g/cip-dev/message/4829
Mute This Topic: https://lists.cip-project.org/mt/75103455/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* Re: [cip-dev] [isar-cip-core RFC 6/7] swupdate: Add luahandler for secureboot
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 6/7] swupdate: Add luahandler for secureboot Quirin Gylstorff
@ 2020-06-29 8:14 ` Jan Kiszka
2020-06-29 9:01 ` Quirin Gylstorff
0 siblings, 1 reply; 29+ messages in thread
From: Jan Kiszka @ 2020-06-29 8:14 UTC (permalink / raw)
To: Q. Gylstorff, cip-dev
[-- Attachment #1: Type: text/plain, Size: 1569 bytes --]
On 25.06.20 16:10, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> recipes-core/swupdate/files/swupdate_handlers.lua | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/recipes-core/swupdate/files/swupdate_handlers.lua b/recipes-core/swupdate/files/swupdate_handlers.lua
> index c9b9962..f2ecc54 100644
> --- a/recipes-core/swupdate/files/swupdate_handlers.lua
> +++ b/recipes-core/swupdate/files/swupdate_handlers.lua
> @@ -311,8 +311,12 @@ function handler_roundrobin(image)
> if rootparam and rootdevice then break end
> end
> if not rootdevice then
> - swupdate.error("Cannot determine current root device.")
> - return 1
> + -- Use findmnt to get the rootdev
> + rootdevice = io.popen('findmnt -nl / -o PARTUUID'):read("*l")
> + if not rootdevice then
> + swupdate.error("Cannot determine current root device.")
> + return 1
> + end
> end
> swupdate.info(string.format("Current root device is: %s", rootdevice))
>
>
Seems not really specific to secure-boot, rather related to the
initramfs-based rootfs selection. But is that one actually using
PARTUUID in the end? Or rather device paths?
Anyway, I'm not against merging this. It should just be correctly
labeled. Or maybe even merged into the swupdate patch from the first series.
Jan
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4847): https://lists.cip-project.org/g/cip-dev/message/4847
Mute This Topic: https://lists.cip-project.org/mt/75103454/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [cip-dev] [isar-cip-core RFC 6/7] swupdate: Add luahandler for secureboot
2020-06-29 8:14 ` Jan Kiszka
@ 2020-06-29 9:01 ` Quirin Gylstorff
0 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-29 9:01 UTC (permalink / raw)
To: Jan Kiszka, cip-dev
[-- Attachment #1: Type: text/plain, Size: 1893 bytes --]
On 6/29/20 10:14 AM, Jan Kiszka wrote:
> On 25.06.20 16:10, Q. Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> recipes-core/swupdate/files/swupdate_handlers.lua | 8 ++++++--
>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>
>> diff --git a/recipes-core/swupdate/files/swupdate_handlers.lua
>> b/recipes-core/swupdate/files/swupdate_handlers.lua
>> index c9b9962..f2ecc54 100644
>> --- a/recipes-core/swupdate/files/swupdate_handlers.lua
>> +++ b/recipes-core/swupdate/files/swupdate_handlers.lua
>> @@ -311,8 +311,12 @@ function handler_roundrobin(image)
>> if rootparam and rootdevice then break end
>> end
>> if not rootdevice then
>> - swupdate.error("Cannot determine current root device.")
>> - return 1
>> + -- Use findmnt to get the rootdev
>> + rootdevice = io.popen('findmnt -nl / -o PARTUUID'):read("*l")
>> + if not rootdevice then
>> + swupdate.error("Cannot determine current root device.")
>> + return 1
>> + end
>> end
>> swupdate.info(string.format("Current root device is: %s",
>> rootdevice))
>>
>
> Seems not really specific to secure-boot, rather related to the
> initramfs-based rootfs selection. But is that one actually using
> PARTUUID in the end? Or rather device paths?
it uses the partuuid from root. If someone finds a better way to get
the current root without parsing the kernel commandline I would use
that.
>
> Anyway, I'm not against merging this. It should just be correctly
> labeled. Or maybe even merged into the swupdate patch from the first
> series.
I move the patch to the a/b update patch.
>
> Jan
>
--
Quirin
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4848): https://lists.cip-project.org/g/cip-dev/message/4848
Mute This Topic: https://lists.cip-project.org/mt/75103454/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v2 0/6] secureboot with efibootguard
2020-06-25 14:10 [cip-dev] [isar-cip-core RFC 0/7] secureboot with efibootguard Quirin Gylstorff
` (6 preceding siblings ...)
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 7/7] doc: Add README " Quirin Gylstorff
@ 2020-06-29 12:53 ` Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 1/6] kernel: add fat for qemu-amd64 Quirin Gylstorff
` (6 more replies)
7 siblings, 7 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-29 12:53 UTC (permalink / raw)
To: Jan.Kiszka, cip-dev; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 5258 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This patchset adds secureboot with efibootguard to cip-core.
The image build signs the efibootguard bootloader (bootx64.efi) and generates
a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
A unified kernel image packs the kernel, initramfs and the kernel command-line
in one binary object. As the kernel command-line is immutable after the build
process, the previous selection of the root file system with a command-line parameter is no longer
possible. Therefore the selection of the root file-system occurs now in the initramfs.
The image uses an A/B partition layout to update the root file system. The sample implementation to
select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs.
During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs.
If a match is found the rootfs is used for the boot.
Changes V2:
- rebase to [1]
- removed luahandler patch as it now part of [1]
- add handling for sw-description
[1]: a/b rootfsupdate with software update
Quirin Gylstorff (6):
kernel: add fat for qemu-amd64
isar-patch: Add initramfs-config patch
secure-boot: select boot partition in initramfs
secure-boot: Add secure boot with unified kernel image
secure-boot: Add Debian snakeoil keys for ease-of-use
doc: Add README for secureboot
classes/image_uuid.bbclass | 29 +++
conf/distro/debian-buster-backports.list | 1 +
conf/distro/preferences.ovmf-snakeoil.conf | 3 +
doc/README.secureboot.md | 188 ++++++++++++++++
...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++++
kas-cip.yml | 3 +
kas/opt/ebg-secure-boot-base.yml | 17 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 27 +++
kas/opt/ebg-swu.yml | 2 +-
recipes-core/images/cip-core-image.bb | 2 +-
recipes-core/images/files/sw-description.tmpl | 6 +-
.../ebg-secure-boot-secrets_0.1.bb | 51 +++++
.../ebg-secure-boot-secrets/files/README.md | 1 +
.../files/control.tmpl | 12 +
.../files/sign_secure_image.sh.tmpl | 22 ++
.../ebg-secure-boot-snakeoil_0.1.bb | 35 +++
.../files/control.tmpl | 12 +
.../files/sign_secure_image.sh | 36 +++
.../ovmf-binaries/files/control.tmpl | 11 +
.../ovmf-binaries/ovmf-binaries_0.1.bb | 30 +++
.../linux/files/qemu-amd64_defconfig | 6 +
.../files/initramfs.image_uuid.hook | 33 +++
.../files/initramfs.lsblk.hook | 29 +++
.../initramfs-config/files/postinst.ext | 3 +
.../files/secure-boot-debian-local-patch | 77 +++++++
.../initramfs-abrootfs-secureboot_0.1.bb | 38 ++++
...enerate-sb-db-from-existing-certificate.sh | 16 ++
scripts/generate_secure_boot_keys.sh | 51 +++++
.../wic/plugins/source/efibootguard-boot.py | 87 +++++++-
.../wic/plugins/source/efibootguard-efi.py | 40 +++-
scripts/start-efishell.sh | 12 +
start-qemu.sh | 54 ++++-
wic/ebg-signed-bootloader.inc | 2 +
wic/qemu-amd64-efibootguard.wks | 6 +-
34 files changed, 1119 insertions(+), 30 deletions(-)
create mode 100644 classes/image_uuid.bbclass
create mode 100644 conf/distro/debian-buster-backports.list
create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf
create mode 100644 doc/README.secureboot.md
create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
create mode 100644 kas/opt/ebg-secure-boot-base.yml
create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl
create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
create mode 100644 recipes-support/initramfs-config/files/postinst.ext
create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
create mode 100755 scripts/generate_secure_boot_keys.sh
create mode 100755 scripts/start-efishell.sh
create mode 100644 wic/ebg-signed-bootloader.inc
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4858): https://lists.cip-project.org/g/cip-dev/message/4858
Mute This Topic: https://lists.cip-project.org/mt/75190452/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v2 1/6] kernel: add fat for qemu-amd64
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 0/6] secureboot with efibootguard Quirin Gylstorff
@ 2020-06-29 12:53 ` Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 2/6] isar-patch: Add initramfs-config patch Quirin Gylstorff
` (5 subsequent siblings)
6 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-29 12:53 UTC (permalink / raw)
To: Jan.Kiszka, cip-dev; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 827 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add a fat configuration to access FAT Partitions on the qemu-amd64
target.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-kernel/linux/files/qemu-amd64_defconfig | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/recipes-kernel/linux/files/qemu-amd64_defconfig b/recipes-kernel/linux/files/qemu-amd64_defconfig
index 7487152..5449317 100644
--- a/recipes-kernel/linux/files/qemu-amd64_defconfig
+++ b/recipes-kernel/linux/files/qemu-amd64_defconfig
@@ -351,3 +351,9 @@ CONFIG_CRYPTO_DEV_CCP=y
# CONFIG_XZ_DEC_ARM is not set
# CONFIG_XZ_DEC_ARMTHUMB is not set
# CONFIG_XZ_DEC_SPARC is not set
+CONFIG_MSDOS_FS=y
+CONFIG_VFAT_FS=y
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4857): https://lists.cip-project.org/g/cip-dev/message/4857
Mute This Topic: https://lists.cip-project.org/mt/75190451/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v2 2/6] isar-patch: Add initramfs-config patch
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 0/6] secureboot with efibootguard Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 1/6] kernel: add fat for qemu-amd64 Quirin Gylstorff
@ 2020-06-29 12:53 ` Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 3/6] secure-boot: select boot partition in initramfs Quirin Gylstorff
` (4 subsequent siblings)
6 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-29 12:53 UTC (permalink / raw)
To: Jan.Kiszka, cip-dev; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 8927 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Adapt the initramfs generation to set for example the root device
in the initramfs
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++++
kas-cip.yml | 3 +
2 files changed, 210 insertions(+)
create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
diff --git a/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch b/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
new file mode 100644
index 0000000..f8fb28e
--- /dev/null
+++ b/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
@@ -0,0 +1,207 @@
+From 7c85e2e363fd39e60bf5041d02e14e8bd62c1a68 Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Tue, 24 Mar 2020 17:58:08 +0100
+Subject: [PATCH v7 1/3] meta/support: Generate a custom initramfs
+
+This package sets the Parameters for mkinitramfs/update-intramfs
+before it regenerates the initrd.img of debian with a modified version.
+
+Use cases are the remove unnecessary kernel modules to reduce the
+size of the initrd by using the parameters:
+```
+INITRAMFS_MODULES = "list"
+INITRAMFS_MODULE_LIST += "ext4"
+```
+
+Set the boot root during the initrd generation by setting `INITRAMFS_ROOT`.
+
+see also man pages of mkinitramfs and initramfs.conf.
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ .../initramfs-config/initramfs-config_0.1.bb | 6 +++
+ .../initramfs-config/files/control.tmpl | 12 +++++
+ .../initramfs-config/files/postinst.tmpl | 50 +++++++++++++++++++
+ .../initramfs-config/files/postrm.tmpl | 41 +++++++++++++++
+ .../initramfs-config/initramfs-config.inc | 32 ++++++++++++
+ 5 files changed, 141 insertions(+)
+ create mode 100644 meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb
+ create mode 100644 meta/recipes-support/initramfs-config/files/control.tmpl
+ create mode 100644 meta/recipes-support/initramfs-config/files/postinst.tmpl
+ create mode 100644 meta/recipes-support/initramfs-config/files/postrm.tmpl
+ create mode 100644 meta/recipes-support/initramfs-config/initramfs-config.inc
+
+diff --git a/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb
+new file mode 100644
+index 0000000..c951e8a
+--- /dev/null
++++ b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb
+@@ -0,0 +1,6 @@
++#
++# Copyright (C) Siemens AG, 2020
++#
++# SPDX-License-Identifier: MIT
++
++require recipes-support/initramfs-config/initramfs-config.inc
+diff --git a/meta/recipes-support/initramfs-config/files/control.tmpl b/meta/recipes-support/initramfs-config/files/control.tmpl
+new file mode 100644
+index 0000000..66984eb
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/files/control.tmpl
+@@ -0,0 +1,12 @@
++Source: ${PN}
++Section: misc
++Priority: optional
++Standards-Version: 3.9.6
++Maintainer: isar-users <isar-users@googlegroups.com>
++Build-Depends: debhelper (>= 9)
++
++
++Package: ${PN}
++Architecture: any
++Depends: ${shlibs:Depends}, ${misc:Depends}, initramfs-tools-core, ${DEBIAN_DEPENDS}
++Description: Configuration files for a custom initramfs
+diff --git a/meta/recipes-support/initramfs-config/files/postinst.tmpl b/meta/recipes-support/initramfs-config/files/postinst.tmpl
+new file mode 100644
+index 0000000..e523906
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/files/postinst.tmpl
+@@ -0,0 +1,50 @@
++#!/bin/sh
++# postinst script for initramfs-config
++#
++# see: dh_installdeb(1)
++
++set -e
++
++case "$1" in
++ configure)
++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
++ if [ -f ${INITRAMFS_CONF} ]; then
++ sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF}
++ if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then
++ sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF}
++ else
++ sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF}
++ fi
++ fi
++
++ MODULES_LIST_FILE=/etc/initramfs-tools/modules
++ if [ -f ${MODULES_LIST_FILE} ]; then
++ for modname in ${INITRAMFS_MODULE_LIST}; do
++ if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then
++ echo "$modname" >> "${MODULES_LIST_FILE}"
++ fi
++ done
++ fi
++
++ update-initramfs -v -u
++
++ ;;
++ abort-upgrade|abort-remove|abort-deconfigure)
++ ;;
++
++ *)
++ echo "postinst called with unknown argument \`$1'" >&2
++ exit 1
++ ;;
++esac
++# dh_installdeb will replace this with shell code automatically
++# generated by other debhelper scripts.
++#DEBHELPER#
++
++exit 0
+diff --git a/meta/recipes-support/initramfs-config/files/postrm.tmpl b/meta/recipes-support/initramfs-config/files/postrm.tmpl
+new file mode 100644
+index 0000000..115d9b6
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/files/postrm.tmpl
+@@ -0,0 +1,41 @@
++#!/bin/sh
++# postrm script for initramfs-config
++#
++# see: dh_installdeb(1)
++
++set -e
++
++case "$1" in
++ purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
++ # back to the debian defaults
++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
++ sed -i -E 's/(^MODULES=).*/\1most/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^BUSYBOX=).*/\1auto/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^COMPRESS=).*/\1gzip/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^KEYMAP=).*/\1n/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^DEVICE=).*/\1/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^NFSROOT=).*/\1auto/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^RUNSIZE=).*/\110%/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^ROOT=).*//' ${INITRAMFS_CONF}
++
++ # remove the added modules
++ MODULES_LIST_FILE=/etc/initramfs-tools/modules
++ for modname in ${INITRAMFS_MODULE_LIST}; do
++ sed -i -E 's/$modname//'
++ done
++
++ update-initramfs -v -u
++ ;;
++
++ *)
++ echo "postrm called with unknown argument \`$1'" >&2
++ exit 1
++ ;;
++esac
++
++# dh_installdeb will replace this with shell code automatically
++# generated by other debhelper scripts.
++
++#DEBHELPER#
++
++exit 0
+diff --git a/meta/recipes-support/initramfs-config/initramfs-config.inc b/meta/recipes-support/initramfs-config/initramfs-config.inc
+new file mode 100644
+index 0000000..16049a9
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/initramfs-config.inc
+@@ -0,0 +1,32 @@
++# This software is a part of ISAR.
++# Copyright (C) 2020 Siemens AG
++#
++# SPDX-License-Identifier: MIT
++inherit dpkg-raw
++inherit template
++DESCRIPTION = "Recipe to set the initramfs configuration and generate a new ramfs"
++
++FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:"
++
++SRC_URI = "file://postinst.tmpl \
++ file://postrm.tmpl \
++ file://control.tmpl \
++ "
++
++INITRAMFS_MODULES ?= "most"
++INITRAMFS_BUSYBOX ?= "auto"
++INITRAMFS_COMPRESS ?= "gzip"
++INITRAMFS_KEYMAP ?= "n"
++INITRAMFS_NET_DEVICE ?= ""
++INITRAMFS_NFSROOT ?= "auto"
++INITRAMFS_RUNSIZE ?= "10%"
++INITRAMFS_ROOT ?= ""
++INITRAMFS_MODULE_LIST ?= ""
++CREATE_NEW_INITRAMFS ?= "n"
++KERNEL_PACKAGE = "${@ ("linux-image-" + d.getVar("KERNEL_NAME", True)) if d.getVar("KERNEL_NAME", True) else ""}"
++DEBIAN_DEPENDS += ", ${KERNEL_PACKAGE}"
++TEMPLATE_FILES = "postinst.tmpl control.tmpl postrm.tmpl"
++TEMPLATE_VARS += "INITRAMFS_MODULES INITRAMFS_BUSYBOX INITRAMFS_COMPRESS \
++ INITRAMFS_KEYMAP INITRAMFS_NET_DEVICE INITRAMFS_NFSROOT \
++ INITRAMFS_RUNSIZE INITRAMFS_ROOT INITRAMFS_MODULE_LIST \
++ CREATE_NEW_INITRAMFS DEBIAN_DEPENDS PN"
+--
+2.20.1
+
diff --git a/kas-cip.yml b/kas-cip.yml
index 0da07db..da99d51 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -26,6 +26,9 @@ repos:
01-libubootenv:
path: isar-patches/0001-u-boot-add-libubootenv.patch
repo: cip-core
+ 02-initramfs:
+ path: isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
+ repo: cip-core
bblayers_conf_header:
standard: |
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4860): https://lists.cip-project.org/g/cip-dev/message/4860
Mute This Topic: https://lists.cip-project.org/mt/75190454/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v2 3/6] secure-boot: select boot partition in initramfs
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 0/6] secureboot with efibootguard Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 1/6] kernel: add fat for qemu-amd64 Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 2/6] isar-patch: Add initramfs-config patch Quirin Gylstorff
@ 2020-06-29 12:53 ` Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 4/6] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
` (3 subsequent siblings)
6 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-29 12:53 UTC (permalink / raw)
To: Jan.Kiszka, cip-dev; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 10161 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
As the usage of a unified kernel image freeze the kernel commmandline
during build time the rootfs selection for swupdate can no longer be
done with the kernel commandline and must be done later in the boot
process. Read the root filesystem /etc/os-release and check if it contains
the same uuid as stored in the initramfs . If the uuids are the same
boot the root file system.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/image_uuid.bbclass | 29 +++++++
.../files/initramfs.image_uuid.hook | 33 ++++++++
.../files/initramfs.lsblk.hook | 29 +++++++
.../initramfs-config/files/postinst.ext | 3 +
.../initramfs-config/files/postinst.tmpl | 31 ++++++++
.../files/secure-boot-debian-local-patch | 77 +++++++++++++++++++
.../initramfs-abrootfs-secureboot_0.1.bb | 38 +++++++++
7 files changed, 240 insertions(+)
create mode 100644 classes/image_uuid.bbclass
create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
create mode 100644 recipes-support/initramfs-config/files/postinst.ext
create mode 100644 recipes-support/initramfs-config/files/postinst.tmpl
create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass
new file mode 100644
index 0000000..64379da
--- /dev/null
+++ b/classes/image_uuid.bbclass
@@ -0,0 +1,29 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+def generate_image_uuid():
+ import uuid
+ return str(uuid.uuid4())
+
+
+IMAGE_UUID ?= "${@generate_image_uuid()}"
+
+do_generate_image_uuid[depends] = "buildchroot-target:do_build"
+do_generate_image_uuid() {
+ sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release'
+ echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \
+ sudo tee -a '${IMAGE_ROOTFS}/etc/os-release'
+ image_do_mounts
+
+ # update initramfs to add uuid
+ sudo chroot '${IMAGE_ROOTFS}' update-initramfs -u
+}
+addtask generate_image_uuid before do_copy_boot_files after do_rootfs_install
diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook
new file mode 100644
index 0000000..910ce84
--- /dev/null
+++ b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook
@@ -0,0 +1,33 @@
+# This software is a part of ISAR.
+# Copyright (C) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+#!/bin/sh
+set -x
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/scripts/functions
+. /usr/share/initramfs-tools/hook-functions
+
+if [ ! -e /etc/os-release ]; then
+ echo "Warning: couldn't find /etc/os-release!"
+ exit 0
+fi
+
+IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/os-release)
+echo "${IMAGE_UUID}" > "${DESTDIR}/conf/image_uuid"
+
+exit 0
\ No newline at end of file
diff --git a/recipes-support/initramfs-config/files/initramfs.lsblk.hook b/recipes-support/initramfs-config/files/initramfs.lsblk.hook
new file mode 100644
index 0000000..cf32404
--- /dev/null
+++ b/recipes-support/initramfs-config/files/initramfs.lsblk.hook
@@ -0,0 +1,29 @@
+# This software is a part of ISAR.
+# Copyright (C) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+#!/bin/sh
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/scripts/functions
+. /usr/share/initramfs-tools/hook-functions
+
+if [ ! -x /usr/bin/lsblk ]; then
+ echo "Warning: couldn't find /usr/bin/lsblk!"
+ exit 0
+fi
+
+copy_exec /usr/bin/lsblk
diff --git a/recipes-support/initramfs-config/files/postinst.ext b/recipes-support/initramfs-config/files/postinst.ext
new file mode 100644
index 0000000..cdafa74
--- /dev/null
+++ b/recipes-support/initramfs-config/files/postinst.ext
@@ -0,0 +1,3 @@
+if [ -d /usr/share/secureboot ]; then
+ patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
+fi
diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl
new file mode 100644
index 0000000..008f68d
--- /dev/null
+++ b/recipes-support/initramfs-config/files/postinst.tmpl
@@ -0,0 +1,31 @@
+#!/bin/sh
+if [ -d /usr/share/secureboot ]; then
+ patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
+fi
+
+INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
+if [ -f ${INITRAMFS_CONF} ]; then
+ sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF}
+ if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then
+ sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF}
+ else
+ sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF}
+ fi
+fi
+
+MODULES_LIST_FILE=/etc/initramfs-tools/modules
+if [ -f ${MODULES_LIST_FILE} ]; then
+ for modname in ${INITRAMFS_MODULE_LIST}; do
+ if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then
+ echo "$modname" >> "${MODULES_LIST_FILE}"
+ fi
+ done
+fi
+
+update-initramfs -v -u
diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch
new file mode 100644
index 0000000..31d4c40
--- /dev/null
+++ b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch
@@ -0,0 +1,77 @@
+--- local 2020-06-10 14:54:42.148263121 +0200
++++ ../../../../../../../../../../../recipes-support/initramfs-config/files/local 2020-06-10 14:53:03.723314458 +0200
+@@ -1,5 +1,4 @@
+ # Local filesystem mounting -*- shell-script -*-
+-
+ local_top()
+ {
+ if [ "${local_top_used}" != "yes" ]; then
+@@ -155,34 +154,46 @@
+ local_mount_root()
+ {
+ local_top
+- if [ -z "${ROOT}" ]; then
+- panic "No root device specified. Boot arguments must include a root= parameter."
++ if [ ! -e /conf/image_uuid ]; then
++ panic "could not find image_uuid to select correct root file system"
+ fi
+- local_device_setup "${ROOT}" "root file system"
+- ROOT="${DEV}"
++ local INITRAMFS_IMAGE_UUID=$(cat /conf/image_uuid)
++ local partitions=$(lsblk -nlp -o name)
++ for part in $partitions; do
++ local_device_setup "${part}" "root file system"
++ ROOT="${DEV}"
++
++ # Get the root filesystem type if not set
++ if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
++ FSTYPE=$(get_fstype "${ROOT}")
++ else
++ FSTYPE=${ROOTFSTYPE}
++ fi
+
+- # Get the root filesystem type if not set
+- if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
+- FSTYPE=$(get_fstype "${ROOT}")
+- else
+- FSTYPE=${ROOTFSTYPE}
+- fi
++ local_premount
+
+- local_premount
++ if [ "${readonly?}" = "y" ]; then
++ roflag=-r
++ else
++ roflag=-w
++ fi
+
+- if [ "${readonly?}" = "y" ]; then
+- roflag=-r
+- else
+- roflag=-w
+- fi
++ checkfs "${ROOT}" root "${FSTYPE}"
+
+- checkfs "${ROOT}" root "${FSTYPE}"
++ # Mount root
++ # shellcheck disable=SC2086
++ if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
++ if [ -e "${rootmnt?}"/etc/os-release ]; then
++ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' )
++ if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then
++ return
++ fi
++ fi
++ umount "${rootmnt?}"
++ fi
++ done
++ panic "Could not find ROOTFS with matching UUID $INITRAMFS_IMAGE_UUID"
+
+- # Mount root
+- # shellcheck disable=SC2086
+- if ! mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
+- panic "Failed to mount ${ROOT} as root file system."
+- fi
+ }
+
+ local_mount_fs()
diff --git a/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb b/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
new file mode 100644
index 0000000..0be9871
--- /dev/null
+++ b/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
@@ -0,0 +1,38 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-support/initramfs-config/initramfs-config.inc
+
+FILESPATH =. "${LAYERDIR_isar-siemens}/recipes-support/initramfs-config/files:"
+
+DEBIAN_DEPENDS += ", busybox, patch"
+
+SRC_URI += "file://postinst.ext \
+ file://initramfs.lsblk.hook \
+ file://initramfs.image_uuid.hook \
+ file://secure-boot-debian-local-patch"
+
+INITRAMFS_BUSYBOX = "y"
+
+do_install() {
+ # add patch for local to /usr/share/secure boot
+ TARGET=${D}/usr/share/secureboot
+ install -m 0755 -d ${TARGET}
+ install -m 0644 ${WORKDIR}/secure-boot-debian-local-patch ${TARGET}/secure-boot-debian-local.patch
+ # patch postinst
+ sed -i -e '/configure)/r ${WORKDIR}/postinst.ext' ${WORKDIR}/postinst
+
+ # add hooks for secure boot
+ HOOKS=${D}/etc/initramfs-tools/hooks
+install -m 0755 -d ${HOOKS}
+ install -m 0740 ${WORKDIR}/initramfs.lsblk.hook ${HOOKS}/lsblk.hook
+ install -m 0740 ${WORKDIR}/initramfs.image_uuid.hook ${HOOKS}/image_uuid.hook
+}
+addtask do_install after do_transform_template
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4859): https://lists.cip-project.org/g/cip-dev/message/4859
Mute This Topic: https://lists.cip-project.org/mt/75190453/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v2 4/6] secure-boot: Add secure boot with unified kernel image
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 0/6] secureboot with efibootguard Quirin Gylstorff
` (2 preceding siblings ...)
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 3/6] secure-boot: select boot partition in initramfs Quirin Gylstorff
@ 2020-06-29 12:53 ` Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
` (2 subsequent siblings)
6 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-29 12:53 UTC (permalink / raw)
To: Jan.Kiszka, cip-dev; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 25368 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
A unified kernel image contains the os-release, kernel,
kernel commandline, initramfs and efi-stub in one binary.
This binary can be boot by systemd-boot and efibootguard.
It also allows to sign kernel and initramfs as one packages.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas/opt/ebg-secure-boot-base.yml | 17 ++++
recipes-core/images/cip-core-image.bb | 2 +-
recipes-core/images/files/sw-description.tmpl | 6 +-
.../ebg-secure-boot-secrets_0.1.bb | 51 +++++++++++
.../ebg-secure-boot-secrets/files/README.md | 1 +
.../files/control.tmpl | 12 +++
.../files/sign_secure_image.sh.tmpl | 22 +++++
.../initramfs-config/files/postinst.tmpl | 31 -------
...enerate-sb-db-from-existing-certificate.sh | 16 ++++
scripts/generate_secure_boot_keys.sh | 51 +++++++++++
.../wic/plugins/source/efibootguard-boot.py | 87 +++++++++++++++++--
.../wic/plugins/source/efibootguard-efi.py | 40 ++++++++-
scripts/start-efishell.sh | 12 +++
start-qemu.sh | 54 +++++++++---
wic/ebg-signed-bootloader.inc | 2 +
wic/qemu-amd64-efibootguard.wks | 6 +-
16 files changed, 350 insertions(+), 60 deletions(-)
create mode 100644 kas/opt/ebg-secure-boot-base.yml
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
delete mode 100644 recipes-support/initramfs-config/files/postinst.tmpl
create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
create mode 100755 scripts/generate_secure_boot_keys.sh
create mode 100755 scripts/start-efishell.sh
create mode 100644 wic/ebg-signed-bootloader.inc
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
new file mode 100644
index 0000000..0f9133c
--- /dev/null
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -0,0 +1,17 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+
+local_conf_header:
+ initramfs: |
+ IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index 4dfc983..c781623 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -10,7 +10,7 @@
#
inherit image
-
+inherit image_uuid
ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'"
DESCRIPTION = "CIP Core image"
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index bef1984..bce97d0 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -11,12 +11,12 @@
software =
{
version = "0.2";
- name = "ebsy secure boot update"
+ name = "secure boot update"
images: ({
- filename = "${EXTRACTED_PARTITION_NAME}";
+ filename = "${ROOTFS_PARTITION_NAME}";
device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = true;
+ compressed = "true";
filesystem = "ext4";
});
files: ({
diff --git a/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
new file mode 100644
index 0000000..37b35c9
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
@@ -0,0 +1,51 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Add user defined secureboot certifcates to the buildchroot and the script to \
+ sign an image with the given keys"
+
+# variables
+SB_CERT_PATH = "/usr/share/ebg-secure-boot"
+SB_CERTDB ??= ""
+SB_VERIFY_CERT ??= ""
+SB_KEY_NAME ??= "demoDB"
+
+# used to sign the image
+DEBIAN_DEPENDS = "pesign, sbsigntool"
+
+# this package cannot be install together with:
+DEBIAN_CONFLICTS = "ebg-secure-boot-snakeoil"
+
+SRC_URI = " \
+ file://sign_secure_image.sh.tmpl \
+ file://control.tmpl"
+SRC_URI_append = " ${@ d.getVar(SB_CERTDB) or "" }"
+SRC_URI_append = " ${@ d.getVar(SB_VERIFY_CERT) or "" }"
+TEMPLATE_FILES = "sign_secure_image.sh.tmpl"
+TEMPLATE_VARS += "SB_CERT_PATH SB_CERTDB SB_VERIFY_CERT SB_KEY_NAME"
+
+TEMPLATE_FILES += "control.tmpl"
+TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
+
+do_install() {
+ TARGET=${D}${SB_CERT_PATH}
+ install -m 0700 -d ${TARGET}
+ cp -a ${WORKDIR}/${SB_CERTDB} ${TARGET}/${SB_CERTDB}
+ chmod 700 ${TARGET}/${SB_CERTDB}
+ install -m 0600 ${WORKDIR}/${SB_VERIFY_CERT} ${TARGET}/${SB_VERIFY_CERT}
+ TARGET=${D}/usr/bin
+ install -d ${TARGET}
+ install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
+}
+
+addtask do_install after do_transform_template
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/README.md b/recipes-devtools/ebg-secure-boot-secrets/files/README.md
new file mode 100644
index 0000000..c739c51
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/files/README.md
@@ -0,0 +1 @@
+For a secure boot image this directory needs to contain the certdb directory and the db.crt file.
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
new file mode 100644
index 0000000..8361a49
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
@@ -0,0 +1,12 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: ${MAINTAINER}
+Build-Depends: debhelper (>= 9)
+
+Package: ${PN}
+Architecture: ${DPKG_ARCH}
+Depends: ${DEBIAN_DEPENDS}
+Description: ${DESCRIPTION}
+Conflicts: ${DEBIAN_CONFLICTS}
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
new file mode 100644
index 0000000..e84fd4c
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+set -x
+signee=$1
+signed=$2
+
+usage(){
+ echo "sign with debian snakeoil"
+ echo "$0 signee signed"
+ echo "signee: path to the image to be signed"
+ echo "signed: path to store the signed image"
+}
+
+
+if [ -z "$signee" ] || [ -z "$signed" ]; then
+ usage
+ exit 1
+fi
+
+pesign --force --verbose --padding -n ${SB_CERT_PATH}/${SB_CERTDB} -c "${SB_KEY_NAME}" -s -i $signee -o $signed
+sbverify --cert ${SB_CERT_PATH}/${SB_VERIFY_CERT} $signed
+exit 0
diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl
deleted file mode 100644
index 008f68d..0000000
--- a/recipes-support/initramfs-config/files/postinst.tmpl
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/sh
-if [ -d /usr/share/secureboot ]; then
- patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
-fi
-
-INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
-if [ -f ${INITRAMFS_CONF} ]; then
- sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF}
- if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then
- sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF}
- else
- sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF}
- fi
-fi
-
-MODULES_LIST_FILE=/etc/initramfs-tools/modules
-if [ -f ${MODULES_LIST_FILE} ]; then
- for modname in ${INITRAMFS_MODULE_LIST}; do
- if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then
- echo "$modname" >> "${MODULES_LIST_FILE}"
- fi
- done
-fi
-
-update-initramfs -v -u
diff --git a/scripts/generate-sb-db-from-existing-certificate.sh b/scripts/generate-sb-db-from-existing-certificate.sh
new file mode 100755
index 0000000..035f189
--- /dev/null
+++ b/scripts/generate-sb-db-from-existing-certificate.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+name=${SB_NAME:-snakeoil}
+keydir=${SB_KEYDIR:-./keys}
+if [ ! -d ${keydir} ]; then
+ mkdir -p ${keydir}
+fi
+inkey=${INKEY:-/usr/share/ovmf/PkKek-1-snakeoil.key}
+incert=${INCERT:-/usr/share/ovmf/PkKek-1-snakeoil.pem}
+nick_name=${IN_NICK:-snakeoil}
+TMP=$(mktemp -d)
+mkdir -p ${keydir}/${name}certdb
+certutil -N --empty-password -d ${keydir}/${name}certdb
+openssl pkcs12 -export -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name
+pk12util -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb
+cp $incert ${keydir}/$(basename $incert)
+rm -rf $TMP
diff --git a/scripts/generate_secure_boot_keys.sh b/scripts/generate_secure_boot_keys.sh
new file mode 100755
index 0000000..8d3f8c0
--- /dev/null
+++ b/scripts/generate_secure_boot_keys.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+name=${SB_NAME:-demo}
+keydir=${SB_KEYDIR:-./keys}
+if [ ! -d ${keydir} ]; then
+ mkdir -p ${keydir}
+fi
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}PK/" -outform PEM \
+ -keyout ${keydir}/${name}PK.key -out ${keydir}/${name}PK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}KEK/" -outform PEM \
+ -keyout ${keydir}/${name}KEK.key -out ${keydir}/${name}KEK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}DB/" -outform PEM \
+ -keyout ${keydir}/${name}DB.key -out ${keydir}/${name}DB.crt -days 3650 -nodes -sha256
+openssl x509 -in ${keydir}/${name}PK.crt -out ${keydir}/${name}PK.cer -outform DER
+openssl x509 -in ${keydir}/${name}KEK.crt -out ${keydir}/${name}KEK.cer -outform DER
+openssl x509 -in ${keydir}/${name}DB.crt -out ${keydir}/${name}DB.cer -outform DER
+
+openssl pkcs12 -export -out ${keydir}/${name}DB.p12 \
+ -in ${keydir}/${name}DB.crt -inkey ${keydir}/${name}DB.key -passout pass:
+
+GUID=$(uuidgen --random)
+echo $GUID > ${keydir}/${name}GUID
+
+cert-to-efi-sig-list -g $GUID ${keydir}/${name}PK.crt ${keydir}/${name}PK.esl
+cert-to-efi-sig-list -g $GUID ${keydir}/${name}KEK.crt ${keydir}/${name}KEK.esl
+cert-to-efi-sig-list -g $GUID ${keydir}/${name}DB.crt ${keydir}/${name}DB.esl
+rm -f ${keydir}/${name}noPK.esl
+touch ${keydir}/${name}noPK.esl
+
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ PK ${keydir}/${name}PK.esl ${keydir}/${name}PK.auth
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ PK ${keydir}/${name}noPK.esl ${keydir}/${name}noPK.auth
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ KEK ${keydir}/${name}KEK.esl ${keydir}/${name}KEK.auth
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ DB ${keydir}/${name}DB.esl ${keydir}/${name}DB.auth
+
+chmod 0600 ${keydir}/${name}*.key
+mkdir -p ${keydir}/${name}certdb
+certutil -N --empty-password -d ${keydir}/${name}certdb
+
+certutil -A -n 'PK' -d ${keydir}/${name}certdb -t CT,CT,CT -i ${keydir}/${name}PK.crt
+pk12util -W "" -d ${keydir}/${name}certdb -i ${keydir}/${name}DB.p12
+certutil -d ${keydir}/${name}certdb -A -i ${keydir}/${name}DB.crt -n "" -t u
+
+certutil -d ${keydir}/${name}certdb -K
+certutil -d ${keydir}/${name}certdb -L
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 38d2b2e..d291f75 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -80,17 +80,29 @@ class EfibootguardBootPlugin(SourcePlugin):
boot_files = source_params.get("files", "").split(' ')
+ uefi_kernel = source_params.get("unified-kernel")
cmdline = bootloader.append
- root_dev = source_params.get("root", None)
- if not root_dev:
- msger.error("Specify root in source params")
- exit(1)
+ if uefi_kernel:
+ boot_image = cls._create_unified_kernel_image(rootfs_dir,
+ cr_workdir,
+ cmdline,
+ uefi_kernel,
+ deploy_dir,
+ kernel_image,
+ initrd_image,
+ source_params)
+ boot_files.append(boot_image)
+ else:
+ root_dev = source_params.get("root", None)
+ if not root_dev:
+ msger.error("Specify root in source params")
+ exit(1)
root_dev = root_dev.replace(":", "=")
- cmdline += " root=%s rw" % root_dev
- boot_files.append(kernel_image)
- boot_files.append(initrd_image)
- cmdline += "initrd=%s" % initrd_image if initrd_image else ""
+ cmdline += " root=%s rw" % root_dev
+ boot_files.append(kernel_image)
+ boot_files.append(initrd_image)
+ cmdline += "initrd=%s" % initrd_image if initrd_image else ""
part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
part.label, part.lineno)
@@ -160,3 +172,62 @@ class EfibootguardBootPlugin(SourcePlugin):
part.size = bootimg_size
part.source_file = bootimg
+
+ @classmethod
+ def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline,
+ uefi_kernel, deploy_dir, kernel_image,
+ initrd_image, source_params):
+ rootfs_path = rootfs_dir.get('ROOTFS_DIR')
+ os_release_file = "{root}/etc/os-release".format(root=rootfs_path)
+ efistub = "{rootfs_path}/usr/lib/systemd/boot/efi/linuxx64.efi.stub"\
+ .format(rootfs_path=rootfs_path)
+ msger.debug("osrelease path: %s", os_release_file)
+ kernel_cmdline_file = "{cr_workdir}/kernel-command-line-file.txt"\
+ .format(cr_workdir=cr_workdir)
+ with open(kernel_cmdline_file, "w") as cmd_fd:
+ cmd_fd.write(cmdline)
+ uefi_kernel_name = "linux.efi"
+ uefi_kernel_file = "{deploy_dir}/{uefi_kernel_name}"\
+ .format(deploy_dir=deploy_dir, uefi_kernel_name=uefi_kernel_name)
+ kernel = "{deploy_dir}/{kernel_image}"\
+ .format(deploy_dir=deploy_dir, kernel_image=kernel_image)
+ initrd = "{deploy_dir}/{initrd_image}"\
+ .format(deploy_dir=deploy_dir, initrd_image=initrd_image)
+ objcopy_cmd = 'objcopy \
+ --add-section .osrel={os_release_file} \
+ --change-section-vma .osrel=0x20000 \
+ --add-section .cmdline={kernel_cmdline_file} \
+ --change-section-vma .cmdline=0x30000 \
+ --add-section .linux={kernel} \
+ --change-section-vma .linux=0x2000000 \
+ --add-section .initrd={initrd} \
+ --change-section-vma .initrd=0x3000000 \
+ {efistub} {uefi_kernel_file}'.format(
+ os_release_file=os_release_file,
+ kernel_cmdline_file=kernel_cmdline_file,
+ kernel=kernel,
+ initrd=initrd,
+ efistub=efistub,
+ uefi_kernel_file=uefi_kernel_file)
+ exec_cmd(objcopy_cmd)
+
+ return cls._sign_file(name=uefi_kernel_name,
+ signee=uefi_kernel_file,
+ deploy_dir=deploy_dir,
+ source_params=source_params)
+
+ @classmethod
+ def _sign_file(cls, name, signee, deploy_dir, source_params):
+ sign_script = source_params.get("signwith")
+ if sign_script and os.path.exists(sign_script):
+ msger.info("sign with script %s", sign_script)
+ name = name.replace(".efi", ".signed.efi")
+ sign_cmd = "{sign_script} {signee} {deploy_dir}/{name}"\
+ .format(sign_script=sign_script, signee=signee,
+ deploy_dir=deploy_dir, name=name)
+ exec_cmd(sign_cmd)
+ elif sign_script and not os.path.exists(sign_script):
+ msger.error("Could not find script %s", sign_script)
+ exit(1)
+
+ return name
diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
index 5ee451f..6647212 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-efi.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
@@ -64,10 +64,17 @@ class EfibootguardEFIPlugin(SourcePlugin):
exec_cmd(create_dir_cmd)
for bootloader in bootloader_files:
- cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (deploy_dir,
- bootloader,
- part_rootfs_dir,
- bootloader)
+ signed_bootloader = cls._sign_file(bootloader,
+ "{}/{}".format(deploy_dir,
+ bootloader
+ ),
+ cr_workdir,
+ source_params)
+ # important the bootloader in deploy_dir is no longer signed
+ cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir,
+ signed_bootloader,
+ part_rootfs_dir,
+ bootloader)
exec_cmd(cp_cmd, True)
du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
blocks = int(exec_cmd(du_cmd).split()[0])
@@ -100,3 +107,28 @@ class EfibootguardEFIPlugin(SourcePlugin):
part.size = efi_part_image_size
part.source_file = efi_part_image
+
+
+ @classmethod
+ def _sign_file(cls, name, signee, cr_workdir, source_params):
+ sign_script = source_params.get("signwith")
+ if sign_script and os.path.exists(sign_script):
+ work_name = name.replace(".efi", ".signed.efi")
+ sign_cmd = "{sign_script} {signee} \
+ {cr_workdir}/{work_name}".format(sign_script=sign_script,
+ signee=signee,
+ cr_workdir=cr_workdir,
+ work_name=work_name)
+ exec_cmd(sign_cmd)
+ elif sign_script and not os.path.exists(sign_script):
+ msger.error("Could not find script %s", sign_script)
+ exit(1)
+ else:
+ # if we do nothing copy the signee to the work directory
+ work_name = name
+ cp_cmd = "cp {signee} {cr_workdir}/{work_name}".format(
+ signee=signee,
+ cr_workdir=cr_workdir,
+ work_name=work_name)
+ exec_cmd(cp_cmd)
+ return work_name
diff --git a/scripts/start-efishell.sh b/scripts/start-efishell.sh
new file mode 100755
index 0000000..3c56ebc
--- /dev/null
+++ b/scripts/start-efishell.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
+ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
+DISK=$1
+qemu-system-x86_64 -enable-kvm -M q35 \
+ -cpu host,hv_relaxed,hv_vapic,hv-spinlocks=0xfff -smp 2 -m 2G -no-hpet \
+ -global ICH9-LPC.disable_s3=1 \
+ -global isa-fdc.driveA= \
+ -boot menu=on \
+ -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
+ -drive if=pflash,format=raw,file=${ovmf_vars} \
+ -drive file=fat:rw:$DISK
diff --git a/start-qemu.sh b/start-qemu.sh
index 49f0266..74d1b54 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -15,6 +15,8 @@ usage()
echo "Usage: $0 ARCHITECTURE [QEMU_OPTIONS]"
echo -e "\nSet QEMU_PATH environment variable to use a locally " \
"built QEMU version"
+ echo -e "\nSet SECURE_BOOT environment variable to boot a secure boot environment " \
+ "This environment also needs the variables OVMF_VARS and OVMF_CODE set"
exit 1
}
@@ -22,17 +24,25 @@ if [ -n "${QEMU_PATH}" ]; then
QEMU_PATH="${QEMU_PATH}/"
fi
+if [ -z "${DISTRO_RELEASE}" ]; then
+ DISTRO_RELEASE="buster"
+fi
+if [ -z "${TARGET_IMAGE}" ];then
+ TARGET_IMAGE="cip-core-image"
+fi
+
case "$1" in
x86|x86_64|amd64)
DISTRO_ARCH=amd64
QEMU=qemu-system-x86_64
QEMU_EXTRA_ARGS=" \
- -cpu host -smp 4 \
- -enable-kvm -machine q35 \
+ -cpu qemu64 \
+ -smp 4 \
+ -machine q35,accel=kvm:tcg \
-device ide-hd,drive=disk \
-device virtio-net-pci,netdev=net"
KERNEL_CMDLINE=" \
- root=/dev/sda vga=0x305 console=ttyS0"
+ root=/dev/sda vga=0x305"
;;
arm64|aarch64)
DISTRO_ARCH=arm64
@@ -71,21 +81,41 @@ case "$1" in
;;
esac
-if [ -z "${DISTRO_RELEASE}" ]; then
- DISTRO_RELEASE="buster"
-fi
-
-IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/cip-core-image-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
-IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
+IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
if [ -z "${DISPLAY}" ]; then
QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} -nographic"
+ case "$1" in
+ x86|x86_64|amd64)
+ KERNEL_CMDLINE="${KERNEL_CMDLINE} console=ttyS0"
+ esac
+fi
+
+
+
+if [ -n "SECURE_BOOT" ]; then
+ ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
+ ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
+ QEMU_EXTRA_ARGS=" \
+ ${QEMU_EXTRA_ARGS} \
+ -global ICH9-LPC.disable_s3=1 \
+ -global isa-fdc.driveA= \
+ "
+ BOOT_FILES="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
+ -drive if=pflash,format=raw,file=${ovmf_vars} \
+ -drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw"
+else
+ IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
+
+ KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinuz* | tail -1)
+ INITRD_FILE=$(ls ${IMAGE_PREFIX}-initrd.img* | tail -1)
+
+ BOOT_FILES=-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
+ -initrd ${INITRD_FILE}
fi
shift 1
${QEMU_PATH}${QEMU} \
- -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
-m 1G -serial mon:stdio -netdev user,id=net \
- -kernel ${IMAGE_PREFIX}-vmlinuz -append "${KERNEL_CMDLINE}" \
- -initrd ${IMAGE_PREFIX}-initrd.img ${QEMU_EXTRA_ARGS} "$@"
+ ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@"
diff --git a/wic/ebg-signed-bootloader.inc b/wic/ebg-signed-bootloader.inc
new file mode 100644
index 0000000..667e014
--- /dev/null
+++ b/wic/ebg-signed-bootloader.inc
@@ -0,0 +1,2 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks
index 3cd7360..9ccf501 100644
--- a/wic/qemu-amd64-efibootguard.wks
+++ b/wic/qemu-amd64-efibootguard.wks
@@ -1,5 +1,9 @@
# short-description: Qemu-amd64 with Efibootguard and SWUpdate
# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
+include ebg-signed-bootloader.inc
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-include ebg-sysparts.inc
include swupdate-partition.inc
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4861): https://lists.cip-project.org/g/cip-dev/message/4861
Mute This Topic: https://lists.cip-project.org/mt/75190455/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v2 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 0/6] secureboot with efibootguard Quirin Gylstorff
` (3 preceding siblings ...)
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 4/6] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
@ 2020-06-29 12:53 ` Quirin Gylstorff
2020-06-29 12:54 ` [cip-dev] [isar-cip-core PATCH v2 6/6] doc: Add README for secureboot Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 0/6] secureboot with efibootguard Quirin Gylstorff
6 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-29 12:53 UTC (permalink / raw)
To: Jan.Kiszka, cip-dev; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 8107 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Use the Debian snakeoil keys to have a demo case available without
the OVMF setup. Copy the used keys from the build to the deploy
directory to allow usage in non-Debian distributions.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
conf/distro/debian-buster-backports.list | 1 +
conf/distro/preferences.ovmf-snakeoil.conf | 3 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 27 ++++++++++++++
.../ebg-secure-boot-snakeoil_0.1.bb | 35 ++++++++++++++++++
.../files/control.tmpl | 12 +++++++
.../files/sign_secure_image.sh | 36 +++++++++++++++++++
.../ovmf-binaries/files/control.tmpl | 11 ++++++
.../ovmf-binaries/ovmf-binaries_0.1.bb | 30 ++++++++++++++++
start-qemu.sh | 4 +--
9 files changed, 157 insertions(+), 2 deletions(-)
create mode 100644 conf/distro/debian-buster-backports.list
create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf
create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl
create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
diff --git a/conf/distro/debian-buster-backports.list b/conf/distro/debian-buster-backports.list
new file mode 100644
index 0000000..f2dd104
--- /dev/null
+++ b/conf/distro/debian-buster-backports.list
@@ -0,0 +1 @@
+deb http://ftp.us.debian.org/debian buster-backports main contrib non-free
diff --git a/conf/distro/preferences.ovmf-snakeoil.conf b/conf/distro/preferences.ovmf-snakeoil.conf
new file mode 100644
index 0000000..b51d1d4
--- /dev/null
+++ b/conf/distro/preferences.ovmf-snakeoil.conf
@@ -0,0 +1,3 @@
+Package: ovmf
+Pin: release n=buster-backports
+Pin-Priority: 801
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
new file mode 100644
index 0000000..a43ddb5
--- /dev/null
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -0,0 +1,27 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+ includes:
+ - ebg-secure-boot-base.yml
+
+
+local_conf_header:
+ secure-boot: |
+ # Add snakeoil and ovmf binaries for qemu
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
+ IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
+
+ ovmf: |
+ # snakeoil certs are only part of backports
+ DISTRO_APT_SOURCES_append = " conf/distro/debian-buster-backports.list"
+ DISTRO_APT_PREFERENCES_append = " conf/distro/preferences.ovmf-snakeoil.conf"
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
new file mode 100644
index 0000000..89abbcf
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
@@ -0,0 +1,35 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Add script to sign for secure boot with the debian snakeoil keys"
+# used to sign the image
+DEBIAN_DEPENDS = "pesign, sbsigntool, ovmf, openssl, libnss3-tools"
+
+
+# this package cannot be install together with:
+DEBIAN_CONFLICTS = "ebg-secure-boot-secrets"
+
+SRC_URI = "file://sign_secure_image.sh \
+ file://control.tmpl"
+
+TEMPLATE_FILES = "control.tmpl"
+TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
+
+do_install() {
+ TARGET=${D}/usr/bin
+ install -d ${TARGET}
+ install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
+}
+
+addtask do_install after do_transform_template
+
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
new file mode 100644
index 0000000..8361a49
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
@@ -0,0 +1,12 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: ${MAINTAINER}
+Build-Depends: debhelper (>= 9)
+
+Package: ${PN}
+Architecture: ${DPKG_ARCH}
+Depends: ${DEBIAN_DEPENDS}
+Description: ${DESCRIPTION}
+Conflicts: ${DEBIAN_CONFLICTS}
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
new file mode 100644
index 0000000..081dbe9
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+set -e
+set -x
+signee=$1
+signed=$2
+
+usage(){
+ echo "sign with debian snakeoil"
+ echo "$0 signee signed"
+ echo "signee: path to the image to be signed"
+ echo "signed: path to store the signed image"
+}
+
+
+if [ -z "$signee" ] || [ -z "$signed" ]; then
+ usage
+ exit 1
+fi
+
+name=snakeoil
+keydir=$(mktemp -d)
+inkey=/usr/share/ovmf/PkKek-1-snakeoil.key
+incert=/usr/share/ovmf/PkKek-1-snakeoil.pem
+nick_name=snakeoil
+TMP=$(mktemp -d)
+mkdir -p ${keydir}/${name}certdb
+certutil -N --empty-password -d ${keydir}/${name}certdb
+openssl pkcs12 -export -passin pass:"snakeoil" -passout pass: -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name
+pk12util -W "" -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb
+cp $incert ${keydir}/$(basename $incert)
+rm -rf $TMP
+
+pesign --force --verbose --padding -n ${keydir}/${name}certdb -c "$nick_name" -s -i $signee -o $signed
+sbverify --cert $incert $signed
+rm -rf $keydir
+exit 0
diff --git a/recipes-devtools/ovmf-binaries/files/control.tmpl b/recipes-devtools/ovmf-binaries/files/control.tmpl
new file mode 100644
index 0000000..54641d6
--- /dev/null
+++ b/recipes-devtools/ovmf-binaries/files/control.tmpl
@@ -0,0 +1,11 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: ${MAINTAINER}
+Build-Depends: debhelper (>= 9), ${DEBIAN_BUILD_DEPENDS}
+
+Package: ${PN}
+Architecture: ${DPKG_ARCH}
+Depends: ${DEBIAN_DEPENDS}
+Description: ${DESCRIPTION}
diff --git a/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb b/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
new file mode 100644
index 0000000..025b970
--- /dev/null
+++ b/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
@@ -0,0 +1,30 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Copy the OVMF biniaries from the build changeroot to the deploy dir"
+
+# this is a empty debian package
+SRC_URI = "file://control.tmpl"
+
+DEBIAN_BUILD_DEPENDS = "ovmf"
+TEMPLATE_FILES = "control.tmpl"
+TEMPLATE_VARS += "PN DEBIAN_DEPENDS MAINTAINER DESCRIPTION DPKG_ARCH DEBIAN_BUILD_DEPENDS"
+
+
+do_extract_ovmf() {
+ install -m 0755 -d ${DEPLOY_DIR_IMAGE}
+ cp -r ${BUILDCHROOT_DIR}/usr/share/OVMF ${DEPLOY_DIR_IMAGE}
+ chown $(id -u):$(id -g) ${DEPLOY_DIR_IMAGE}/OVMF
+}
+
+addtask do_extract_ovmf after do_install_builddeps before do_dpkg_build
diff --git a/start-qemu.sh b/start-qemu.sh
index 74d1b54..3a3b2f7 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -94,8 +94,8 @@ fi
if [ -n "SECURE_BOOT" ]; then
- ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
- ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
+ ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd}
+ ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS.snakeoil.fd}
QEMU_EXTRA_ARGS=" \
${QEMU_EXTRA_ARGS} \
-global ICH9-LPC.disable_s3=1 \
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4863): https://lists.cip-project.org/g/cip-dev/message/4863
Mute This Topic: https://lists.cip-project.org/mt/75190457/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v2 6/6] doc: Add README for secureboot
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 0/6] secureboot with efibootguard Quirin Gylstorff
` (4 preceding siblings ...)
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
@ 2020-06-29 12:54 ` Quirin Gylstorff
2020-06-29 13:54 ` Jan Kiszka
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 0/6] secureboot with efibootguard Quirin Gylstorff
6 siblings, 1 reply; 29+ messages in thread
From: Quirin Gylstorff @ 2020-06-29 12:54 UTC (permalink / raw)
To: Jan.Kiszka, cip-dev; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 8134 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
doc/README.secureboot.md | 188 +++++++++++++++++++++++++++++++++++++++
kas/opt/ebg-swu.yml | 2 +-
2 files changed, 189 insertions(+), 1 deletion(-)
create mode 100644 doc/README.secureboot.md
diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
new file mode 100644
index 0000000..5cbbc23
--- /dev/null
+++ b/doc/README.secureboot.md
@@ -0,0 +1,188 @@
+# Efibootguard Secure boot
+
+This document describes how to generate a secure boot capable image with
+[efibootguard](https://github.com/siemens/efibootguard).
+
+## Description
+
+The image build signs the efibootguard bootloader (bootx64.efi) and generates
+a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
+A unified kernel image packs the kernel, initramfs and the kernel command-line
+in one binary object. As the kernel command-line is immutable after the build
+process, the previous selection of the root file system with a command-line parameter is no longer
+possible. Therefore the selection of the root file-system occurs now in the initramfs.
+
+The image uses an A/B partition layout to update the root file system. The sample implementation to
+select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs.
+During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs.
+If a match is found the rootfs is used for the boot.
+
+## Adaptation for Images
+
+### WIC
+The following elements must be present in a wks file to create a secure boot capable image.
+
+```
+part --source efibootguard-efi --sourceparams "signwith=<script or executable to sign the image>"
+part --source efibootguard-boot --sourceparams "uefikernel=<name of the unified kernel>,signwith=<script or executable to sign the image>"
+```
+
+#### Script or executable to sign the image
+
+The wic plugins for the [bootloader](./scripts/lib/wic/plugins/source/efibootguard-efi.py)
+and [boot partition](./scripts/lib/wic/plugins/source/efibootguard-boot.py) require an
+executable or script with the following interface:
+```
+<script_name> <inputfile> <outputfile>
+```
+- script name: name and path of the script added with
+`--sourceparams "signwith=/usr/bin/sign_secure_image.sh"` to the wic image
+- inputfile: path and name of the file to be signed
+- outputfile: path and name of the signed input
+
+Supply the script name and path to wic by adding
+`signwith=<path and name of the script to sign>"` to sourceparams of the partition.
+
+
+### Existing packages to sign an image
+
+#### ebg-secure-boot-snakeoil
+
+This package uses the snakeoil key and certificate from the ovmf package(0.0~20200229-2)
+backported from Debian bullseye and signs the image.
+
+#### ebg-secure-boot-secrets
+This package takes a user-generated certificate and adds it to the build system.
+The following variable and steps are necessary to build a secure boot capable image:
+- Set certification information to sign and verify the image with:
+ - SB_CERTDB: The directory containing the certificate database create with certutil
+ - SB_VERIFY_CERT: The certificate to verify the signing process
+ - SB_KEY_NAME: Name of the key in the certificate database
+- if necessary change the script to select the boot partition after an update
+ - recipes-support/initramfs-config/files/initramfs.selectrootfs.script
+
+The files referred by SB_CERTDB and SB_VERIFY_CERT must be store in `recipes-devtools/ebg-secure-boot-secrets/files/`
+
+## QEMU
+
+Set up a secure boot test environment with [QEMU](https://www.qemu.org/)
+
+### Prerequisites
+
+- OVMF from edk2 release edk2-stable201911 or newer
+ - This documentation was tested under Debian 10 with OVMF (0.0~20200229-2) backported from Debian
+ bullseye
+- efitools for KeyTool.efi
+ - This documentation was tested under Debian 10 with efitools (1.9.2-1) backported from Debian bullseye
+- libnss3-tools
+
+### Debian Snakeoil keys
+
+The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images/<machine>/OVMF. Y
+u can use them as described in section [Start Image](### Start the image).
+
+### Generate Keys
+
+#### Reuse exiting keys
+
+It is possible to use exiting keys like /usr/share/ovmf/PkKek-1-snakeoil.pem' from Debian
+by executing the script `scripts/generate-sb-db-from-existing-certificate.sh`, e.g.:
+```
+export SB_NAME=<name for the secureboot config>
+export SB_KEYDIR=<location to store the database>
+export INKEY=<secret key of the certificate>
+export INCERT=<certificate>
+export INNICK=<name of the certificate in the database>
+scripts/generate-sb-db-from-existing-certificate.sh
+```
+This will create the directory `SB_KEYDIR` and will store the `${SB_NAME}certdb` with the given name.
+
+Copy the used certificate and database to `recipes-devtools/ebg-secure-boot-secrets/files/`
+
+#### Generate keys
+
+To generate the necessary keys and information to test secure-boot with QEMU
+execute the script `scripts/generate_secure_boot_keys.sh`
+
+##### Add Keys to OVMF
+1. Create a folder and copy the generated keys and KeyTool.efi
+(in Debian the file can be found at: /lib/efitools/x86_64-linux-gnu/KeyTool.efi) to the folder
+```
+mkdir secureboot-tools
+cp -r keys secureboot-tools
+cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi secureboot-tools
+```
+2. Copy the file OVMF_VARS.fd (in Debian the file can be found at /usr/share/OVMF/OVMF_VARS.fd)
+to the current directory. OVMF_VARS.fd contains no keys can be instrumented for secureboot.
+3. Start QEMU with the script scripts/start-efishell.sh
+```
+scripts/start-efishell.sh secureboot-tools
+```
+4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+ -> "Edit Keys"
+ -> "The Allowed Signatures Database (db)"
+ -> "Add New Key"
+ -> Change/Confirm device
+ -> Select "DB.esl" file
+ -> "The Key Exchange Key Database (KEK)"
+ -> "Add New Key"
+ -> Change/Confirm device
+ -> Select "KEK.esl" file
+ -> "The Platform Key (PK)
+ -> "Replace Key(s)"
+ -> Change/Confirm device
+ -> Select "PK.auth" file
+5. quit QEMU
+
+### Build image
+
+Build the image with a signed efibootguard and unified kernel image
+with the snakeoil keys by executing:
+```
+kas-docker --isar build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
+```
+
+For user-generated keys, create a new option file. This option file could look like this:
+```
+header:
+ version: 8
+ includes:
+ - opt/ebg-swu.yml
+ - opt/ebg-secure-boot-initramfs.yml
+
+local_conf_header:
+ secure-boot: |
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
+ IMAGER_INSTALL += "ebg-secure-boot-secrets"
+ user-keys:
+ SB_CERTDB = "democertdb"
+ SB_VERIFY_CERT = "demo.crt"
+ SB_KEY_NAME = "demo"
+```
+
+Replace `demo` with the name of the user-generated certificates.
+
+### Start the image
+
+#### Debian snakeoil
+
+Start the image with the following command:
+```
+SECURE_BOOT=y \
+./start-qemu.sh amd64
+```
+
+The default `OVMF_VARS.snakeoil.fd` boot to the EFI shell. To boot Linux enter the following command:
+```
+FS0:\EFI\BOOT\bootx64.efi
+```
+To change the boot behavior, enter `exit` in the shell to enter the bios and change the boot order.
+
+#### User-generated keys
+Start the image with the following command:
+```
+SECURE_BOOT=y \
+OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd \
+OVMF_VARS=<path to the modified OVMF_VARS.fd> \
+./start-qemu.sh amd64
+```
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index 5b39730..81d90ad 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -22,5 +22,5 @@ local_conf_header:
WICVARS += "WDOG_TIMEOUT"
wic: |
- IMAGE_TYPE = "wic-img"
+ IMAGE_TYPE = "wic-swu-img"
WKS_FILE = "${MACHINE}-${BOOTLOADER}.wks"
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4862): https://lists.cip-project.org/g/cip-dev/message/4862
Mute This Topic: https://lists.cip-project.org/mt/75190456/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* Re: [cip-dev] [isar-cip-core PATCH v2 6/6] doc: Add README for secureboot
2020-06-29 12:54 ` [cip-dev] [isar-cip-core PATCH v2 6/6] doc: Add README for secureboot Quirin Gylstorff
@ 2020-06-29 13:54 ` Jan Kiszka
0 siblings, 0 replies; 29+ messages in thread
From: Jan Kiszka @ 2020-06-29 13:54 UTC (permalink / raw)
To: Q. Gylstorff, cip-dev
[-- Attachment #1: Type: text/plain, Size: 796 bytes --]
On 29.06.20 14:54, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> doc/README.secureboot.md | 188 +++++++++++++++++++++++++++++++++++++++
> kas/opt/ebg-swu.yml | 2 +-
...
> diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
> index 5b39730..81d90ad 100644
> --- a/kas/opt/ebg-swu.yml
> +++ b/kas/opt/ebg-swu.yml
> @@ -22,5 +22,5 @@ local_conf_header:
> WICVARS += "WDOG_TIMEOUT"
>
> wic: |
> - IMAGE_TYPE = "wic-img"
> + IMAGE_TYPE = "wic-swu-img"
> WKS_FILE = "${MACHINE}-${BOOTLOADER}.wks"
>
You are trying to sneak in more than a README ;)
Jan
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4864): https://lists.cip-project.org/g/cip-dev/message/4864
Mute This Topic: https://lists.cip-project.org/mt/75190456/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v3 0/6] secureboot with efibootguard
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 0/6] secureboot with efibootguard Quirin Gylstorff
` (5 preceding siblings ...)
2020-06-29 12:54 ` [cip-dev] [isar-cip-core PATCH v2 6/6] doc: Add README for secureboot Quirin Gylstorff
@ 2020-07-24 15:01 ` Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 1/6] kernel: add fat for qemu-amd64 Quirin Gylstorff
` (5 more replies)
6 siblings, 6 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-07-24 15:01 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 5980 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This patchset adds secureboot with efibootguard to cip-core.
The image build signs the efibootguard bootloader (bootx64.efi) and generates
a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
A unified kernel image packs the kernel, initramfs and the kernel command-line
in one binary object. As the kernel command-line is immutable after the build
process, the previous selection of the root file system with a command-line parameter is no longer
possible. Therefore the selection of the root file-system occurs now in the initramfs.
The image uses an A/B partition layout to update the root file system. The sample implementation to
select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs.
During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs.
If a match is found the rootfs is used for the boot.
Changes V2:
- rebase to [1]
- removed luahandler patch as it now part of [1]
- add handling for sw-description
Changes V3:
- rewrite the image id creation to ensure a new uuid is generated if a new package is
added or another change of the rootfs
- add readme section how to execute/test the software update mechnism
- adapt to version v3 of [1]
- update the patch
- add wks file for efibootguard and swupdate
[1]: a/b rootfsupdate with software update
Quirin Gylstorff (6):
kernel: add fat for qemu-amd64
isar-patch: Add initramfs-config patch
secure-boot: select boot partition in initramfs
secure-boot: Add secure boot with unified kernel image
secure-boot: Add Debian snakeoil keys for ease-of-use
doc: Add README for secureboot
classes/image_uuid.bbclass | 33 +++
conf/distro/debian-buster-backports.list | 1 +
conf/distro/preferences.ovmf-snakeoil.conf | 3 +
doc/README.secureboot.md | 229 ++++++++++++++++++
...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++
kas-cip.yml | 3 +
kas/opt/ebg-secure-boot-base.yml | 18 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 28 +++
recipes-core/images/cip-core-image.bb | 11 +-
.../files/secure-boot/sw-description.tmpl | 29 +++
recipes-core/images/files/sw-description.tmpl | 2 +-
recipes-core/images/secureboot.inc | 21 ++
recipes-core/images/swupdate.inc | 19 ++
.../ebg-secure-boot-secrets_0.1.bb | 51 ++++
.../ebg-secure-boot-secrets/files/README.md | 1 +
.../files/control.tmpl | 12 +
.../files/sign_secure_image.sh.tmpl | 22 ++
.../ebg-secure-boot-snakeoil_0.1.bb | 35 +++
.../files/control.tmpl | 12 +
.../files/sign_secure_image.sh | 36 +++
.../ovmf-binaries/files/control.tmpl | 11 +
.../ovmf-binaries/ovmf-binaries_0.1.bb | 30 +++
.../linux/files/qemu-amd64_defconfig | 6 +
.../files/initramfs.image_uuid.hook | 33 +++
.../files/initramfs.lsblk.hook | 29 +++
.../initramfs-config/files/postinst.ext | 3 +
.../files/secure-boot-debian-local-patch | 79 ++++++
.../initramfs-abrootfs-secureboot_0.1.bb | 38 +++
...enerate-sb-db-from-existing-certificate.sh | 16 ++
scripts/generate_secure_boot_keys.sh | 51 ++++
.../wic/plugins/source/efibootguard-boot.py | 87 ++++++-
.../wic/plugins/source/efibootguard-efi.py | 40 ++-
scripts/start-efishell.sh | 12 +
start-qemu.sh | 54 ++++-
wic/ebg-signed-bootloader.inc | 2 +
wic/qemu-amd64-efibootguard-secureboot.wks | 9 +
wic/qemu-amd64-efibootguard.wks | 6 +-
37 files changed, 1245 insertions(+), 34 deletions(-)
create mode 100644 classes/image_uuid.bbclass
create mode 100644 conf/distro/debian-buster-backports.list
create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf
create mode 100644 doc/README.secureboot.md
create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
create mode 100644 kas/opt/ebg-secure-boot-base.yml
create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml
create mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl
create mode 100644 recipes-core/images/secureboot.inc
create mode 100644 recipes-core/images/swupdate.inc
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl
create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
create mode 100644 recipes-support/initramfs-config/files/postinst.ext
create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
create mode 100755 scripts/generate_secure_boot_keys.sh
create mode 100755 scripts/start-efishell.sh
create mode 100644 wic/ebg-signed-bootloader.inc
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5005): https://lists.cip-project.org/g/cip-dev/message/5005
Mute This Topic: https://lists.cip-project.org/mt/75767903/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v3 1/6] kernel: add fat for qemu-amd64
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 0/6] secureboot with efibootguard Quirin Gylstorff
@ 2020-07-24 15:01 ` Quirin Gylstorff
2020-07-29 16:47 ` Jan Kiszka
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 2/6] isar-patch: Add initramfs-config patch Quirin Gylstorff
` (4 subsequent siblings)
5 siblings, 1 reply; 29+ messages in thread
From: Quirin Gylstorff @ 2020-07-24 15:01 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 827 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add a fat configuration to access FAT Partitions on the qemu-amd64
target.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-kernel/linux/files/qemu-amd64_defconfig | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/recipes-kernel/linux/files/qemu-amd64_defconfig b/recipes-kernel/linux/files/qemu-amd64_defconfig
index 7487152..5449317 100644
--- a/recipes-kernel/linux/files/qemu-amd64_defconfig
+++ b/recipes-kernel/linux/files/qemu-amd64_defconfig
@@ -351,3 +351,9 @@ CONFIG_CRYPTO_DEV_CCP=y
# CONFIG_XZ_DEC_ARM is not set
# CONFIG_XZ_DEC_ARMTHUMB is not set
# CONFIG_XZ_DEC_SPARC is not set
+CONFIG_MSDOS_FS=y
+CONFIG_VFAT_FS=y
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5003): https://lists.cip-project.org/g/cip-dev/message/5003
Mute This Topic: https://lists.cip-project.org/mt/75767901/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v3 2/6] isar-patch: Add initramfs-config patch
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 0/6] secureboot with efibootguard Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 1/6] kernel: add fat for qemu-amd64 Quirin Gylstorff
@ 2020-07-24 15:01 ` Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 3/6] secure-boot: select boot partition in initramfs Quirin Gylstorff
` (3 subsequent siblings)
5 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-07-24 15:01 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 8927 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Adapt the initramfs generation to set for example the root device
in the initramfs
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++++
kas-cip.yml | 3 +
2 files changed, 210 insertions(+)
create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
diff --git a/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch b/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
new file mode 100644
index 0000000..f8fb28e
--- /dev/null
+++ b/isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
@@ -0,0 +1,207 @@
+From 7c85e2e363fd39e60bf5041d02e14e8bd62c1a68 Mon Sep 17 00:00:00 2001
+From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+Date: Tue, 24 Mar 2020 17:58:08 +0100
+Subject: [PATCH v7 1/3] meta/support: Generate a custom initramfs
+
+This package sets the Parameters for mkinitramfs/update-intramfs
+before it regenerates the initrd.img of debian with a modified version.
+
+Use cases are the remove unnecessary kernel modules to reduce the
+size of the initrd by using the parameters:
+```
+INITRAMFS_MODULES = "list"
+INITRAMFS_MODULE_LIST += "ext4"
+```
+
+Set the boot root during the initrd generation by setting `INITRAMFS_ROOT`.
+
+see also man pages of mkinitramfs and initramfs.conf.
+
+Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
+---
+ .../initramfs-config/initramfs-config_0.1.bb | 6 +++
+ .../initramfs-config/files/control.tmpl | 12 +++++
+ .../initramfs-config/files/postinst.tmpl | 50 +++++++++++++++++++
+ .../initramfs-config/files/postrm.tmpl | 41 +++++++++++++++
+ .../initramfs-config/initramfs-config.inc | 32 ++++++++++++
+ 5 files changed, 141 insertions(+)
+ create mode 100644 meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb
+ create mode 100644 meta/recipes-support/initramfs-config/files/control.tmpl
+ create mode 100644 meta/recipes-support/initramfs-config/files/postinst.tmpl
+ create mode 100644 meta/recipes-support/initramfs-config/files/postrm.tmpl
+ create mode 100644 meta/recipes-support/initramfs-config/initramfs-config.inc
+
+diff --git a/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb
+new file mode 100644
+index 0000000..c951e8a
+--- /dev/null
++++ b/meta-isar/recipes-support/initramfs-config/initramfs-config_0.1.bb
+@@ -0,0 +1,6 @@
++#
++# Copyright (C) Siemens AG, 2020
++#
++# SPDX-License-Identifier: MIT
++
++require recipes-support/initramfs-config/initramfs-config.inc
+diff --git a/meta/recipes-support/initramfs-config/files/control.tmpl b/meta/recipes-support/initramfs-config/files/control.tmpl
+new file mode 100644
+index 0000000..66984eb
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/files/control.tmpl
+@@ -0,0 +1,12 @@
++Source: ${PN}
++Section: misc
++Priority: optional
++Standards-Version: 3.9.6
++Maintainer: isar-users <isar-users@googlegroups.com>
++Build-Depends: debhelper (>= 9)
++
++
++Package: ${PN}
++Architecture: any
++Depends: ${shlibs:Depends}, ${misc:Depends}, initramfs-tools-core, ${DEBIAN_DEPENDS}
++Description: Configuration files for a custom initramfs
+diff --git a/meta/recipes-support/initramfs-config/files/postinst.tmpl b/meta/recipes-support/initramfs-config/files/postinst.tmpl
+new file mode 100644
+index 0000000..e523906
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/files/postinst.tmpl
+@@ -0,0 +1,50 @@
++#!/bin/sh
++# postinst script for initramfs-config
++#
++# see: dh_installdeb(1)
++
++set -e
++
++case "$1" in
++ configure)
++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
++ if [ -f ${INITRAMFS_CONF} ]; then
++ sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF}
++ if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then
++ sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF}
++ else
++ sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF}
++ fi
++ fi
++
++ MODULES_LIST_FILE=/etc/initramfs-tools/modules
++ if [ -f ${MODULES_LIST_FILE} ]; then
++ for modname in ${INITRAMFS_MODULE_LIST}; do
++ if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then
++ echo "$modname" >> "${MODULES_LIST_FILE}"
++ fi
++ done
++ fi
++
++ update-initramfs -v -u
++
++ ;;
++ abort-upgrade|abort-remove|abort-deconfigure)
++ ;;
++
++ *)
++ echo "postinst called with unknown argument \`$1'" >&2
++ exit 1
++ ;;
++esac
++# dh_installdeb will replace this with shell code automatically
++# generated by other debhelper scripts.
++#DEBHELPER#
++
++exit 0
+diff --git a/meta/recipes-support/initramfs-config/files/postrm.tmpl b/meta/recipes-support/initramfs-config/files/postrm.tmpl
+new file mode 100644
+index 0000000..115d9b6
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/files/postrm.tmpl
+@@ -0,0 +1,41 @@
++#!/bin/sh
++# postrm script for initramfs-config
++#
++# see: dh_installdeb(1)
++
++set -e
++
++case "$1" in
++ purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
++ # back to the debian defaults
++ INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
++ sed -i -E 's/(^MODULES=).*/\1most/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^BUSYBOX=).*/\1auto/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^COMPRESS=).*/\1gzip/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^KEYMAP=).*/\1n/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^DEVICE=).*/\1/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^NFSROOT=).*/\1auto/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^RUNSIZE=).*/\110%/' ${INITRAMFS_CONF}
++ sed -i -E 's/(^ROOT=).*//' ${INITRAMFS_CONF}
++
++ # remove the added modules
++ MODULES_LIST_FILE=/etc/initramfs-tools/modules
++ for modname in ${INITRAMFS_MODULE_LIST}; do
++ sed -i -E 's/$modname//'
++ done
++
++ update-initramfs -v -u
++ ;;
++
++ *)
++ echo "postrm called with unknown argument \`$1'" >&2
++ exit 1
++ ;;
++esac
++
++# dh_installdeb will replace this with shell code automatically
++# generated by other debhelper scripts.
++
++#DEBHELPER#
++
++exit 0
+diff --git a/meta/recipes-support/initramfs-config/initramfs-config.inc b/meta/recipes-support/initramfs-config/initramfs-config.inc
+new file mode 100644
+index 0000000..16049a9
+--- /dev/null
++++ b/meta/recipes-support/initramfs-config/initramfs-config.inc
+@@ -0,0 +1,32 @@
++# This software is a part of ISAR.
++# Copyright (C) 2020 Siemens AG
++#
++# SPDX-License-Identifier: MIT
++inherit dpkg-raw
++inherit template
++DESCRIPTION = "Recipe to set the initramfs configuration and generate a new ramfs"
++
++FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/files:"
++
++SRC_URI = "file://postinst.tmpl \
++ file://postrm.tmpl \
++ file://control.tmpl \
++ "
++
++INITRAMFS_MODULES ?= "most"
++INITRAMFS_BUSYBOX ?= "auto"
++INITRAMFS_COMPRESS ?= "gzip"
++INITRAMFS_KEYMAP ?= "n"
++INITRAMFS_NET_DEVICE ?= ""
++INITRAMFS_NFSROOT ?= "auto"
++INITRAMFS_RUNSIZE ?= "10%"
++INITRAMFS_ROOT ?= ""
++INITRAMFS_MODULE_LIST ?= ""
++CREATE_NEW_INITRAMFS ?= "n"
++KERNEL_PACKAGE = "${@ ("linux-image-" + d.getVar("KERNEL_NAME", True)) if d.getVar("KERNEL_NAME", True) else ""}"
++DEBIAN_DEPENDS += ", ${KERNEL_PACKAGE}"
++TEMPLATE_FILES = "postinst.tmpl control.tmpl postrm.tmpl"
++TEMPLATE_VARS += "INITRAMFS_MODULES INITRAMFS_BUSYBOX INITRAMFS_COMPRESS \
++ INITRAMFS_KEYMAP INITRAMFS_NET_DEVICE INITRAMFS_NFSROOT \
++ INITRAMFS_RUNSIZE INITRAMFS_ROOT INITRAMFS_MODULE_LIST \
++ CREATE_NEW_INITRAMFS DEBIAN_DEPENDS PN"
+--
+2.20.1
+
diff --git a/kas-cip.yml b/kas-cip.yml
index 0da07db..da99d51 100644
--- a/kas-cip.yml
+++ b/kas-cip.yml
@@ -26,6 +26,9 @@ repos:
01-libubootenv:
path: isar-patches/0001-u-boot-add-libubootenv.patch
repo: cip-core
+ 02-initramfs:
+ path: isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
+ repo: cip-core
bblayers_conf_header:
standard: |
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5004): https://lists.cip-project.org/g/cip-dev/message/5004
Mute This Topic: https://lists.cip-project.org/mt/75767902/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v3 3/6] secure-boot: select boot partition in initramfs
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 0/6] secureboot with efibootguard Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 1/6] kernel: add fat for qemu-amd64 Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 2/6] isar-patch: Add initramfs-config patch Quirin Gylstorff
@ 2020-07-24 15:01 ` Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 4/6] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
` (2 subsequent siblings)
5 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-07-24 15:01 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 10485 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
As the usage of a unified kernel image freeze the kernel commmandline
during build time the rootfs selection for swupdate can no longer be
done with the kernel commandline and must be done later in the boot
process. Read the root filesystem /etc/os-release and check if it contains
the same uuid as stored in the initramfs . If the uuids are the same
boot the root file system.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/image_uuid.bbclass | 33 ++++++++
.../files/initramfs.image_uuid.hook | 33 ++++++++
.../files/initramfs.lsblk.hook | 29 +++++++
.../initramfs-config/files/postinst.ext | 3 +
.../initramfs-config/files/postinst.tmpl | 31 ++++++++
.../files/secure-boot-debian-local-patch | 79 +++++++++++++++++++
.../initramfs-abrootfs-secureboot_0.1.bb | 38 +++++++++
7 files changed, 246 insertions(+)
create mode 100644 classes/image_uuid.bbclass
create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
create mode 100644 recipes-support/initramfs-config/files/postinst.ext
create mode 100644 recipes-support/initramfs-config/files/postinst.tmpl
create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass
new file mode 100644
index 0000000..9098411
--- /dev/null
+++ b/classes/image_uuid.bbclass
@@ -0,0 +1,33 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+def generate_image_uuid(d):
+ import uuid
+
+ base_hash = d.getVar("BB_BASEHASH_task-do_rootfs_install", True)
+ if base_hash is None:
+ return None
+ return str(uuid.UUID(base_hash[:32], version=4))
+
+IMAGE_UUID ?= "${@generate_image_uuid()}"
+
+do_generate_image_uuid[vardeps] += "IMAGE_UUID"
+do_generate_image_uuid[depends] = "buildchroot-target:do_build"
+do_generate_image_uuid() {
+ sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release'
+ echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \
+ sudo tee -a '${IMAGE_ROOTFS}/etc/os-release'
+ image_do_mounts
+
+ # update initramfs to add uuid
+ sudo chroot '${IMAGE_ROOTFS}' update-initramfs -u
+}
+addtask generate_image_uuid before do_copy_boot_files after do_rootfs_install
diff --git a/recipes-support/initramfs-config/files/initramfs.image_uuid.hook b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook
new file mode 100644
index 0000000..910ce84
--- /dev/null
+++ b/recipes-support/initramfs-config/files/initramfs.image_uuid.hook
@@ -0,0 +1,33 @@
+# This software is a part of ISAR.
+# Copyright (C) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+#!/bin/sh
+set -x
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/scripts/functions
+. /usr/share/initramfs-tools/hook-functions
+
+if [ ! -e /etc/os-release ]; then
+ echo "Warning: couldn't find /etc/os-release!"
+ exit 0
+fi
+
+IMAGE_UUID=$(sed -n 's/^IMAGE_UUID="\(.*\)"/\1/p' /etc/os-release)
+echo "${IMAGE_UUID}" > "${DESTDIR}/conf/image_uuid"
+
+exit 0
\ No newline at end of file
diff --git a/recipes-support/initramfs-config/files/initramfs.lsblk.hook b/recipes-support/initramfs-config/files/initramfs.lsblk.hook
new file mode 100644
index 0000000..cf32404
--- /dev/null
+++ b/recipes-support/initramfs-config/files/initramfs.lsblk.hook
@@ -0,0 +1,29 @@
+# This software is a part of ISAR.
+# Copyright (C) Siemens AG, 2020
+#
+# SPDX-License-Identifier: MIT
+
+#!/bin/sh
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/scripts/functions
+. /usr/share/initramfs-tools/hook-functions
+
+if [ ! -x /usr/bin/lsblk ]; then
+ echo "Warning: couldn't find /usr/bin/lsblk!"
+ exit 0
+fi
+
+copy_exec /usr/bin/lsblk
diff --git a/recipes-support/initramfs-config/files/postinst.ext b/recipes-support/initramfs-config/files/postinst.ext
new file mode 100644
index 0000000..cdafa74
--- /dev/null
+++ b/recipes-support/initramfs-config/files/postinst.ext
@@ -0,0 +1,3 @@
+if [ -d /usr/share/secureboot ]; then
+ patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
+fi
diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl
new file mode 100644
index 0000000..008f68d
--- /dev/null
+++ b/recipes-support/initramfs-config/files/postinst.tmpl
@@ -0,0 +1,31 @@
+#!/bin/sh
+if [ -d /usr/share/secureboot ]; then
+ patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
+fi
+
+INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
+if [ -f ${INITRAMFS_CONF} ]; then
+ sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF}
+ sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF}
+ if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then
+ sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF}
+ else
+ sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF}
+ fi
+fi
+
+MODULES_LIST_FILE=/etc/initramfs-tools/modules
+if [ -f ${MODULES_LIST_FILE} ]; then
+ for modname in ${INITRAMFS_MODULE_LIST}; do
+ if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then
+ echo "$modname" >> "${MODULES_LIST_FILE}"
+ fi
+ done
+fi
+
+update-initramfs -v -u
diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch
new file mode 100644
index 0000000..219578c
--- /dev/null
+++ b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch
@@ -0,0 +1,79 @@
+--- local 2020-07-02 14:59:15.461895194 +0200
++++ ../../../../../../../../../../../recipes-support/initramfs-config/files/local 2020-07-02 14:58:58.405730914 +0200
+@@ -1,5 +1,4 @@
+ # Local filesystem mounting -*- shell-script -*-
+-
+ local_top()
+ {
+ if [ "${local_top_used}" != "yes" ]; then
+@@ -155,34 +154,47 @@
+ local_mount_root()
+ {
+ local_top
+- if [ -z "${ROOT}" ]; then
+- panic "No root device specified. Boot arguments must include a root= parameter."
+- fi
+- local_device_setup "${ROOT}" "root file system"
+- ROOT="${DEV}"
+-
+- # Get the root filesystem type if not set
+- if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
+- FSTYPE=$(get_fstype "${ROOT}")
+- else
+- FSTYPE=${ROOTFSTYPE}
++ if [ ! -e /conf/image_uuid ]; then
++ panic "could not find image_uuid to select correct root file system"
+ fi
++ local INITRAMFS_IMAGE_UUID=$(cat /conf/image_uuid)
++ local partitions=$(blkid -o device)
++ for part in $partitions; do
++ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
++ local_device_setup "${part}" "root file system"
++ ROOT="${DEV}"
++
++ # Get the root filesystem type if not set
++ if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
++ FSTYPE=$(get_fstype "${ROOT}")
++ else
++ FSTYPE=${ROOTFSTYPE}
++ fi
+
+- local_premount
++ local_premount
+
+- if [ "${readonly?}" = "y" ]; then
+- roflag=-r
+- else
+- roflag=-w
+- fi
++ if [ "${readonly?}" = "y" ]; then
++ roflag=-r
++ else
++ roflag=-w
++ fi
++ checkfs "${ROOT}" root "${FSTYPE}"
+
+- checkfs "${ROOT}" root "${FSTYPE}"
++ # Mount root
++ # shellcheck disable=SC2086
++ if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
++ if [ -e "${rootmnt?}"/etc/os-release ]; then
++ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' )
++ if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then
++ return
++ fi
++ fi
++ umount "${rootmnt?}"
++ fi
++ fi
++ done
++ panic "Could not find ROOTFS with matching UUID $INITRAMFS_IMAGE_UUID"
+
+- # Mount root
+- # shellcheck disable=SC2086
+- if ! mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
+- panic "Failed to mount ${ROOT} as root file system."
+- fi
+ }
+
+ local_mount_fs()
diff --git a/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb b/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
new file mode 100644
index 0000000..0be9871
--- /dev/null
+++ b/recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
@@ -0,0 +1,38 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+
+require recipes-support/initramfs-config/initramfs-config.inc
+
+FILESPATH =. "${LAYERDIR_isar-siemens}/recipes-support/initramfs-config/files:"
+
+DEBIAN_DEPENDS += ", busybox, patch"
+
+SRC_URI += "file://postinst.ext \
+ file://initramfs.lsblk.hook \
+ file://initramfs.image_uuid.hook \
+ file://secure-boot-debian-local-patch"
+
+INITRAMFS_BUSYBOX = "y"
+
+do_install() {
+ # add patch for local to /usr/share/secure boot
+ TARGET=${D}/usr/share/secureboot
+ install -m 0755 -d ${TARGET}
+ install -m 0644 ${WORKDIR}/secure-boot-debian-local-patch ${TARGET}/secure-boot-debian-local.patch
+ # patch postinst
+ sed -i -e '/configure)/r ${WORKDIR}/postinst.ext' ${WORKDIR}/postinst
+
+ # add hooks for secure boot
+ HOOKS=${D}/etc/initramfs-tools/hooks
+install -m 0755 -d ${HOOKS}
+ install -m 0740 ${WORKDIR}/initramfs.lsblk.hook ${HOOKS}/lsblk.hook
+ install -m 0740 ${WORKDIR}/initramfs.image_uuid.hook ${HOOKS}/image_uuid.hook
+}
+addtask do_install after do_transform_template
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5006): https://lists.cip-project.org/g/cip-dev/message/5006
Mute This Topic: https://lists.cip-project.org/mt/75767904/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v3 4/6] secure-boot: Add secure boot with unified kernel image
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 0/6] secureboot with efibootguard Quirin Gylstorff
` (2 preceding siblings ...)
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 3/6] secure-boot: select boot partition in initramfs Quirin Gylstorff
@ 2020-07-24 15:01 ` Quirin Gylstorff
2020-07-29 17:05 ` Jan Kiszka
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 6/6] doc: Add README for secureboot Quirin Gylstorff
5 siblings, 1 reply; 29+ messages in thread
From: Quirin Gylstorff @ 2020-07-24 15:01 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 30071 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
A unified kernel image contains the os-release, kernel,
kernel commandline, initramfs and efi-stub in one binary.
This binary can be boot by systemd-boot and efibootguard.
It also allows to sign kernel and initramfs as one packages.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/image_uuid.bbclass | 2 +-
kas/opt/ebg-secure-boot-base.yml | 18 ++++
recipes-core/images/cip-core-image.bb | 11 +--
.../files/secure-boot/sw-description.tmpl | 29 +++++++
recipes-core/images/files/sw-description.tmpl | 2 +-
recipes-core/images/secureboot.inc | 21 +++++
recipes-core/images/swupdate.inc | 19 ++++
.../ebg-secure-boot-secrets_0.1.bb | 51 +++++++++++
.../ebg-secure-boot-secrets/files/README.md | 1 +
.../files/control.tmpl | 12 +++
.../files/sign_secure_image.sh.tmpl | 22 +++++
.../initramfs-config/files/postinst.tmpl | 31 -------
...enerate-sb-db-from-existing-certificate.sh | 16 ++++
scripts/generate_secure_boot_keys.sh | 51 +++++++++++
.../wic/plugins/source/efibootguard-boot.py | 87 +++++++++++++++++--
.../wic/plugins/source/efibootguard-efi.py | 40 ++++++++-
scripts/start-efishell.sh | 12 +++
start-qemu.sh | 54 +++++++++---
wic/ebg-signed-bootloader.inc | 2 +
wic/qemu-amd64-efibootguard-secureboot.wks | 9 ++
wic/qemu-amd64-efibootguard.wks | 6 +-
21 files changed, 430 insertions(+), 66 deletions(-)
create mode 100644 kas/opt/ebg-secure-boot-base.yml
create mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl
create mode 100644 recipes-core/images/secureboot.inc
create mode 100644 recipes-core/images/swupdate.inc
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
delete mode 100644 recipes-support/initramfs-config/files/postinst.tmpl
create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
create mode 100755 scripts/generate_secure_boot_keys.sh
create mode 100755 scripts/start-efishell.sh
create mode 100644 wic/ebg-signed-bootloader.inc
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass
index 9098411..d5337b8 100644
--- a/classes/image_uuid.bbclass
+++ b/classes/image_uuid.bbclass
@@ -17,7 +17,7 @@ def generate_image_uuid(d):
return None
return str(uuid.UUID(base_hash[:32], version=4))
-IMAGE_UUID ?= "${@generate_image_uuid()}"
+IMAGE_UUID ?= "${@generate_image_uuid(d)}"
do_generate_image_uuid[vardeps] += "IMAGE_UUID"
do_generate_image_uuid[depends] = "buildchroot-target:do_build"
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
new file mode 100644
index 0000000..c1d98b1
--- /dev/null
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -0,0 +1,18 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+
+local_conf_header:
+ initramfs: |
+ IMAGE_INSTALL += "initramfs-abrootfs-secureboot"
+ SWU_DESCRIPTION = "secureboot"
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index b1ed491..f7e22b8 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -10,7 +10,7 @@
#
inherit image
-
+inherit image_uuid
ISAR_RELEASE_CMD = "git -C ${LAYERDIR_cip-core} describe --tags --dirty --always --match 'v[0-9].[0-9]*'"
DESCRIPTION = "CIP Core image"
@@ -19,11 +19,6 @@ IMAGE_INSTALL += "customizations"
IMAGE_INSTALL += "ltp-full"
# for swupdate
-EXTRACT_PARTITIONS = "img4"
-ROOTFS_PARTITION_NAME="img4.gz"
-
-SRC_URI += "file://sw-description.tmpl"
-TEMPLATE_FILES += "sw-description.tmpl"
-TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE"
+SWU_DESCRIPTION ??= "swupdate"
+include ${SWU_DESCRIPTION}.inc
-SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl
new file mode 100644
index 0000000..bce97d0
--- /dev/null
+++ b/recipes-core/images/files/secure-boot/sw-description.tmpl
@@ -0,0 +1,29 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+software =
+{
+ version = "0.2";
+ name = "secure boot update"
+ images: ({
+ filename = "${ROOTFS_PARTITION_NAME}";
+ device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
+ type = "roundrobin";
+ compressed = "true";
+ filesystem = "ext4";
+ });
+ files: ({
+ filename = "linux.signed.efi";
+ path = "linux.signed.efi";
+ type = "kernelfile";
+ device = "sda2,sda3";
+ filesystem = "vfat";
+ })
+}
diff --git a/recipes-core/images/files/sw-description.tmpl b/recipes-core/images/files/sw-description.tmpl
index 4d32f6f..f01b500 100644
--- a/recipes-core/images/files/sw-description.tmpl
+++ b/recipes-core/images/files/sw-description.tmpl
@@ -16,7 +16,7 @@ software =
filename = "${ROOTFS_PARTITION_NAME}";
device = "fedcba98-7654-3210-cafe-5e0710000001,fedcba98-7654-3210-cafe-5e0710000002";
type = "roundrobin";
- compressed = true;
+ compressed = "true";
filesystem = "ext4";
});
files: ({
diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc
new file mode 100644
index 0000000..8d9f381
--- /dev/null
+++ b/recipes-core/images/secureboot.inc
@@ -0,0 +1,21 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+EXTRACT_PARTITIONS = "img4"
+ROOTFS_PARTITION_NAME="img4.gz"
+
+SRC_URI += "file://secure-boot/sw-description.tmpl"
+TEMPLATE_FILES += "secure-boot/sw-description.tmpl"
+
+TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME"
+
+SWU_DESCRIPTION_FILE = "secure-boot/sw-description"
+SWU_ADDITIONAL_FILES += "linux.signed.efi ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/images/swupdate.inc b/recipes-core/images/swupdate.inc
new file mode 100644
index 0000000..6708a7e
--- /dev/null
+++ b/recipes-core/images/swupdate.inc
@@ -0,0 +1,19 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+EXTRACT_PARTITIONS = "img4"
+ROOTFS_PARTITION_NAME="img4.gz"
+
+SRC_URI += "file://sw-description.tmpl"
+TEMPLATE_FILES += "sw-description.tmpl"
+TEMPLATE_VARS += "PN ROOTFS_PARTITION_NAME KERNEL_IMAGE INITRD_IMAGE"
+
+SWU_ADDITIONAL_FILES += "${INITRD_IMAGE} ${KERNEL_IMAGE} ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
new file mode 100644
index 0000000..37b35c9
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
@@ -0,0 +1,51 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Add user defined secureboot certifcates to the buildchroot and the script to \
+ sign an image with the given keys"
+
+# variables
+SB_CERT_PATH = "/usr/share/ebg-secure-boot"
+SB_CERTDB ??= ""
+SB_VERIFY_CERT ??= ""
+SB_KEY_NAME ??= "demoDB"
+
+# used to sign the image
+DEBIAN_DEPENDS = "pesign, sbsigntool"
+
+# this package cannot be install together with:
+DEBIAN_CONFLICTS = "ebg-secure-boot-snakeoil"
+
+SRC_URI = " \
+ file://sign_secure_image.sh.tmpl \
+ file://control.tmpl"
+SRC_URI_append = " ${@ d.getVar(SB_CERTDB) or "" }"
+SRC_URI_append = " ${@ d.getVar(SB_VERIFY_CERT) or "" }"
+TEMPLATE_FILES = "sign_secure_image.sh.tmpl"
+TEMPLATE_VARS += "SB_CERT_PATH SB_CERTDB SB_VERIFY_CERT SB_KEY_NAME"
+
+TEMPLATE_FILES += "control.tmpl"
+TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
+
+do_install() {
+ TARGET=${D}${SB_CERT_PATH}
+ install -m 0700 -d ${TARGET}
+ cp -a ${WORKDIR}/${SB_CERTDB} ${TARGET}/${SB_CERTDB}
+ chmod 700 ${TARGET}/${SB_CERTDB}
+ install -m 0600 ${WORKDIR}/${SB_VERIFY_CERT} ${TARGET}/${SB_VERIFY_CERT}
+ TARGET=${D}/usr/bin
+ install -d ${TARGET}
+ install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
+}
+
+addtask do_install after do_transform_template
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/README.md b/recipes-devtools/ebg-secure-boot-secrets/files/README.md
new file mode 100644
index 0000000..c739c51
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/files/README.md
@@ -0,0 +1 @@
+For a secure boot image this directory needs to contain the certdb directory and the db.crt file.
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
new file mode 100644
index 0000000..8361a49
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
@@ -0,0 +1,12 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: ${MAINTAINER}
+Build-Depends: debhelper (>= 9)
+
+Package: ${PN}
+Architecture: ${DPKG_ARCH}
+Depends: ${DEBIAN_DEPENDS}
+Description: ${DESCRIPTION}
+Conflicts: ${DEBIAN_CONFLICTS}
diff --git a/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
new file mode 100644
index 0000000..e84fd4c
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+set -x
+signee=$1
+signed=$2
+
+usage(){
+ echo "sign with debian snakeoil"
+ echo "$0 signee signed"
+ echo "signee: path to the image to be signed"
+ echo "signed: path to store the signed image"
+}
+
+
+if [ -z "$signee" ] || [ -z "$signed" ]; then
+ usage
+ exit 1
+fi
+
+pesign --force --verbose --padding -n ${SB_CERT_PATH}/${SB_CERTDB} -c "${SB_KEY_NAME}" -s -i $signee -o $signed
+sbverify --cert ${SB_CERT_PATH}/${SB_VERIFY_CERT} $signed
+exit 0
diff --git a/recipes-support/initramfs-config/files/postinst.tmpl b/recipes-support/initramfs-config/files/postinst.tmpl
deleted file mode 100644
index 008f68d..0000000
--- a/recipes-support/initramfs-config/files/postinst.tmpl
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/sh
-if [ -d /usr/share/secureboot ]; then
- patch -s -p0 /usr/share/initramfs-tools/scripts/local /usr/share/secureboot/secure-boot-debian-local.patch
-fi
-
-INITRAMFS_CONF=/etc/initramfs-tools/initramfs.conf
-if [ -f ${INITRAMFS_CONF} ]; then
- sed -i -E 's/(^MODULES=).*/\1${INITRAMFS_MODULES}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^BUSYBOX=).*/\1${INITRAMFS_BUSYBOX}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^COMPRESS=).*/\1${INITRAMFS_COMPRESS}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^KEYMAP=).*/\1${INITRAMFS_KEYMAP}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^DEVICE=).*/\1${INITRAMFS_NET_DEVICE}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^NFSROOT=).*/\1${INITRAMFS_NFSROOT}/' ${INITRAMFS_CONF}
- sed -i -E 's/(^RUNSIZE=).*/\1${INITRAMFS_RUNSIZE}/' ${INITRAMFS_CONF}
- if grep -Fxq "ROOT=" "${INITRAMFS_CONF}"; then
- sed -i -E 's/(^ROOT=).*/\1${INITRAMFS_ROOT}/' ${INITRAMFS_CONF}
- else
- sed -i -E "\$aROOT=${INITRAMFS_ROOT}" ${INITRAMFS_CONF}
- fi
-fi
-
-MODULES_LIST_FILE=/etc/initramfs-tools/modules
-if [ -f ${MODULES_LIST_FILE} ]; then
- for modname in ${INITRAMFS_MODULE_LIST}; do
- if ! grep -Fxq "$modname" "${MODULES_LIST_FILE}"; then
- echo "$modname" >> "${MODULES_LIST_FILE}"
- fi
- done
-fi
-
-update-initramfs -v -u
diff --git a/scripts/generate-sb-db-from-existing-certificate.sh b/scripts/generate-sb-db-from-existing-certificate.sh
new file mode 100755
index 0000000..035f189
--- /dev/null
+++ b/scripts/generate-sb-db-from-existing-certificate.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+name=${SB_NAME:-snakeoil}
+keydir=${SB_KEYDIR:-./keys}
+if [ ! -d ${keydir} ]; then
+ mkdir -p ${keydir}
+fi
+inkey=${INKEY:-/usr/share/ovmf/PkKek-1-snakeoil.key}
+incert=${INCERT:-/usr/share/ovmf/PkKek-1-snakeoil.pem}
+nick_name=${IN_NICK:-snakeoil}
+TMP=$(mktemp -d)
+mkdir -p ${keydir}/${name}certdb
+certutil -N --empty-password -d ${keydir}/${name}certdb
+openssl pkcs12 -export -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name
+pk12util -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb
+cp $incert ${keydir}/$(basename $incert)
+rm -rf $TMP
diff --git a/scripts/generate_secure_boot_keys.sh b/scripts/generate_secure_boot_keys.sh
new file mode 100755
index 0000000..8d3f8c0
--- /dev/null
+++ b/scripts/generate_secure_boot_keys.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+name=${SB_NAME:-demo}
+keydir=${SB_KEYDIR:-./keys}
+if [ ! -d ${keydir} ]; then
+ mkdir -p ${keydir}
+fi
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}PK/" -outform PEM \
+ -keyout ${keydir}/${name}PK.key -out ${keydir}/${name}PK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}KEK/" -outform PEM \
+ -keyout ${keydir}/${name}KEK.key -out ${keydir}/${name}KEK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:4096 -subj "/CN=${name}DB/" -outform PEM \
+ -keyout ${keydir}/${name}DB.key -out ${keydir}/${name}DB.crt -days 3650 -nodes -sha256
+openssl x509 -in ${keydir}/${name}PK.crt -out ${keydir}/${name}PK.cer -outform DER
+openssl x509 -in ${keydir}/${name}KEK.crt -out ${keydir}/${name}KEK.cer -outform DER
+openssl x509 -in ${keydir}/${name}DB.crt -out ${keydir}/${name}DB.cer -outform DER
+
+openssl pkcs12 -export -out ${keydir}/${name}DB.p12 \
+ -in ${keydir}/${name}DB.crt -inkey ${keydir}/${name}DB.key -passout pass:
+
+GUID=$(uuidgen --random)
+echo $GUID > ${keydir}/${name}GUID
+
+cert-to-efi-sig-list -g $GUID ${keydir}/${name}PK.crt ${keydir}/${name}PK.esl
+cert-to-efi-sig-list -g $GUID ${keydir}/${name}KEK.crt ${keydir}/${name}KEK.esl
+cert-to-efi-sig-list -g $GUID ${keydir}/${name}DB.crt ${keydir}/${name}DB.esl
+rm -f ${keydir}/${name}noPK.esl
+touch ${keydir}/${name}noPK.esl
+
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ PK ${keydir}/${name}PK.esl ${keydir}/${name}PK.auth
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ PK ${keydir}/${name}noPK.esl ${keydir}/${name}noPK.auth
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ KEK ${keydir}/${name}KEK.esl ${keydir}/${name}KEK.auth
+sign-efi-sig-list -g $GUID \
+ -k ${keydir}/${name}PK.key -c ${keydir}/${name}PK.crt \
+ DB ${keydir}/${name}DB.esl ${keydir}/${name}DB.auth
+
+chmod 0600 ${keydir}/${name}*.key
+mkdir -p ${keydir}/${name}certdb
+certutil -N --empty-password -d ${keydir}/${name}certdb
+
+certutil -A -n 'PK' -d ${keydir}/${name}certdb -t CT,CT,CT -i ${keydir}/${name}PK.crt
+pk12util -W "" -d ${keydir}/${name}certdb -i ${keydir}/${name}DB.p12
+certutil -d ${keydir}/${name}certdb -A -i ${keydir}/${name}DB.crt -n "" -t u
+
+certutil -d ${keydir}/${name}certdb -K
+certutil -d ${keydir}/${name}certdb -L
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 38d2b2e..d291f75 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -80,17 +80,29 @@ class EfibootguardBootPlugin(SourcePlugin):
boot_files = source_params.get("files", "").split(' ')
+ uefi_kernel = source_params.get("unified-kernel")
cmdline = bootloader.append
- root_dev = source_params.get("root", None)
- if not root_dev:
- msger.error("Specify root in source params")
- exit(1)
+ if uefi_kernel:
+ boot_image = cls._create_unified_kernel_image(rootfs_dir,
+ cr_workdir,
+ cmdline,
+ uefi_kernel,
+ deploy_dir,
+ kernel_image,
+ initrd_image,
+ source_params)
+ boot_files.append(boot_image)
+ else:
+ root_dev = source_params.get("root", None)
+ if not root_dev:
+ msger.error("Specify root in source params")
+ exit(1)
root_dev = root_dev.replace(":", "=")
- cmdline += " root=%s rw" % root_dev
- boot_files.append(kernel_image)
- boot_files.append(initrd_image)
- cmdline += "initrd=%s" % initrd_image if initrd_image else ""
+ cmdline += " root=%s rw" % root_dev
+ boot_files.append(kernel_image)
+ boot_files.append(initrd_image)
+ cmdline += "initrd=%s" % initrd_image if initrd_image else ""
part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
part.label, part.lineno)
@@ -160,3 +172,62 @@ class EfibootguardBootPlugin(SourcePlugin):
part.size = bootimg_size
part.source_file = bootimg
+
+ @classmethod
+ def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline,
+ uefi_kernel, deploy_dir, kernel_image,
+ initrd_image, source_params):
+ rootfs_path = rootfs_dir.get('ROOTFS_DIR')
+ os_release_file = "{root}/etc/os-release".format(root=rootfs_path)
+ efistub = "{rootfs_path}/usr/lib/systemd/boot/efi/linuxx64.efi.stub"\
+ .format(rootfs_path=rootfs_path)
+ msger.debug("osrelease path: %s", os_release_file)
+ kernel_cmdline_file = "{cr_workdir}/kernel-command-line-file.txt"\
+ .format(cr_workdir=cr_workdir)
+ with open(kernel_cmdline_file, "w") as cmd_fd:
+ cmd_fd.write(cmdline)
+ uefi_kernel_name = "linux.efi"
+ uefi_kernel_file = "{deploy_dir}/{uefi_kernel_name}"\
+ .format(deploy_dir=deploy_dir, uefi_kernel_name=uefi_kernel_name)
+ kernel = "{deploy_dir}/{kernel_image}"\
+ .format(deploy_dir=deploy_dir, kernel_image=kernel_image)
+ initrd = "{deploy_dir}/{initrd_image}"\
+ .format(deploy_dir=deploy_dir, initrd_image=initrd_image)
+ objcopy_cmd = 'objcopy \
+ --add-section .osrel={os_release_file} \
+ --change-section-vma .osrel=0x20000 \
+ --add-section .cmdline={kernel_cmdline_file} \
+ --change-section-vma .cmdline=0x30000 \
+ --add-section .linux={kernel} \
+ --change-section-vma .linux=0x2000000 \
+ --add-section .initrd={initrd} \
+ --change-section-vma .initrd=0x3000000 \
+ {efistub} {uefi_kernel_file}'.format(
+ os_release_file=os_release_file,
+ kernel_cmdline_file=kernel_cmdline_file,
+ kernel=kernel,
+ initrd=initrd,
+ efistub=efistub,
+ uefi_kernel_file=uefi_kernel_file)
+ exec_cmd(objcopy_cmd)
+
+ return cls._sign_file(name=uefi_kernel_name,
+ signee=uefi_kernel_file,
+ deploy_dir=deploy_dir,
+ source_params=source_params)
+
+ @classmethod
+ def _sign_file(cls, name, signee, deploy_dir, source_params):
+ sign_script = source_params.get("signwith")
+ if sign_script and os.path.exists(sign_script):
+ msger.info("sign with script %s", sign_script)
+ name = name.replace(".efi", ".signed.efi")
+ sign_cmd = "{sign_script} {signee} {deploy_dir}/{name}"\
+ .format(sign_script=sign_script, signee=signee,
+ deploy_dir=deploy_dir, name=name)
+ exec_cmd(sign_cmd)
+ elif sign_script and not os.path.exists(sign_script):
+ msger.error("Could not find script %s", sign_script)
+ exit(1)
+
+ return name
diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
index 5ee451f..6647212 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-efi.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
@@ -64,10 +64,17 @@ class EfibootguardEFIPlugin(SourcePlugin):
exec_cmd(create_dir_cmd)
for bootloader in bootloader_files:
- cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (deploy_dir,
- bootloader,
- part_rootfs_dir,
- bootloader)
+ signed_bootloader = cls._sign_file(bootloader,
+ "{}/{}".format(deploy_dir,
+ bootloader
+ ),
+ cr_workdir,
+ source_params)
+ # important the bootloader in deploy_dir is no longer signed
+ cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir,
+ signed_bootloader,
+ part_rootfs_dir,
+ bootloader)
exec_cmd(cp_cmd, True)
du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
blocks = int(exec_cmd(du_cmd).split()[0])
@@ -100,3 +107,28 @@ class EfibootguardEFIPlugin(SourcePlugin):
part.size = efi_part_image_size
part.source_file = efi_part_image
+
+
+ @classmethod
+ def _sign_file(cls, name, signee, cr_workdir, source_params):
+ sign_script = source_params.get("signwith")
+ if sign_script and os.path.exists(sign_script):
+ work_name = name.replace(".efi", ".signed.efi")
+ sign_cmd = "{sign_script} {signee} \
+ {cr_workdir}/{work_name}".format(sign_script=sign_script,
+ signee=signee,
+ cr_workdir=cr_workdir,
+ work_name=work_name)
+ exec_cmd(sign_cmd)
+ elif sign_script and not os.path.exists(sign_script):
+ msger.error("Could not find script %s", sign_script)
+ exit(1)
+ else:
+ # if we do nothing copy the signee to the work directory
+ work_name = name
+ cp_cmd = "cp {signee} {cr_workdir}/{work_name}".format(
+ signee=signee,
+ cr_workdir=cr_workdir,
+ work_name=work_name)
+ exec_cmd(cp_cmd)
+ return work_name
diff --git a/scripts/start-efishell.sh b/scripts/start-efishell.sh
new file mode 100755
index 0000000..3c56ebc
--- /dev/null
+++ b/scripts/start-efishell.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
+ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
+DISK=$1
+qemu-system-x86_64 -enable-kvm -M q35 \
+ -cpu host,hv_relaxed,hv_vapic,hv-spinlocks=0xfff -smp 2 -m 2G -no-hpet \
+ -global ICH9-LPC.disable_s3=1 \
+ -global isa-fdc.driveA= \
+ -boot menu=on \
+ -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
+ -drive if=pflash,format=raw,file=${ovmf_vars} \
+ -drive file=fat:rw:$DISK
diff --git a/start-qemu.sh b/start-qemu.sh
index 49f0266..74d1b54 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -15,6 +15,8 @@ usage()
echo "Usage: $0 ARCHITECTURE [QEMU_OPTIONS]"
echo -e "\nSet QEMU_PATH environment variable to use a locally " \
"built QEMU version"
+ echo -e "\nSet SECURE_BOOT environment variable to boot a secure boot environment " \
+ "This environment also needs the variables OVMF_VARS and OVMF_CODE set"
exit 1
}
@@ -22,17 +24,25 @@ if [ -n "${QEMU_PATH}" ]; then
QEMU_PATH="${QEMU_PATH}/"
fi
+if [ -z "${DISTRO_RELEASE}" ]; then
+ DISTRO_RELEASE="buster"
+fi
+if [ -z "${TARGET_IMAGE}" ];then
+ TARGET_IMAGE="cip-core-image"
+fi
+
case "$1" in
x86|x86_64|amd64)
DISTRO_ARCH=amd64
QEMU=qemu-system-x86_64
QEMU_EXTRA_ARGS=" \
- -cpu host -smp 4 \
- -enable-kvm -machine q35 \
+ -cpu qemu64 \
+ -smp 4 \
+ -machine q35,accel=kvm:tcg \
-device ide-hd,drive=disk \
-device virtio-net-pci,netdev=net"
KERNEL_CMDLINE=" \
- root=/dev/sda vga=0x305 console=ttyS0"
+ root=/dev/sda vga=0x305"
;;
arm64|aarch64)
DISTRO_ARCH=arm64
@@ -71,21 +81,41 @@ case "$1" in
;;
esac
-if [ -z "${DISTRO_RELEASE}" ]; then
- DISTRO_RELEASE="buster"
-fi
-
-IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/cip-core-image-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
-IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
+IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
if [ -z "${DISPLAY}" ]; then
QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} -nographic"
+ case "$1" in
+ x86|x86_64|amd64)
+ KERNEL_CMDLINE="${KERNEL_CMDLINE} console=ttyS0"
+ esac
+fi
+
+
+
+if [ -n "SECURE_BOOT" ]; then
+ ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
+ ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
+ QEMU_EXTRA_ARGS=" \
+ ${QEMU_EXTRA_ARGS} \
+ -global ICH9-LPC.disable_s3=1 \
+ -global isa-fdc.driveA= \
+ "
+ BOOT_FILES="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
+ -drive if=pflash,format=raw,file=${ovmf_vars} \
+ -drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw"
+else
+ IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
+
+ KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinuz* | tail -1)
+ INITRD_FILE=$(ls ${IMAGE_PREFIX}-initrd.img* | tail -1)
+
+ BOOT_FILES=-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
+ -initrd ${INITRD_FILE}
fi
shift 1
${QEMU_PATH}${QEMU} \
- -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
-m 1G -serial mon:stdio -netdev user,id=net \
- -kernel ${IMAGE_PREFIX}-vmlinuz -append "${KERNEL_CMDLINE}" \
- -initrd ${IMAGE_PREFIX}-initrd.img ${QEMU_EXTRA_ARGS} "$@"
+ ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@"
diff --git a/wic/ebg-signed-bootloader.inc b/wic/ebg-signed-bootloader.inc
new file mode 100644
index 0000000..667e014
--- /dev/null
+++ b/wic/ebg-signed-bootloader.inc
@@ -0,0 +1,2 @@
+# EFI partition containing efibootguard bootloader binary
+part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks b/wic/qemu-amd64-efibootguard-secureboot.wks
new file mode 100644
index 0000000..9ccf501
--- /dev/null
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks
@@ -0,0 +1,9 @@
+# short-description: Qemu-amd64 with Efibootguard and SWUpdate
+# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
+include ebg-signed-bootloader.inc
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+
+include swupdate-partition.inc
diff --git a/wic/qemu-amd64-efibootguard.wks b/wic/qemu-amd64-efibootguard.wks
index 3cd7360..9ccf501 100644
--- a/wic/qemu-amd64-efibootguard.wks
+++ b/wic/qemu-amd64-efibootguard.wks
@@ -1,5 +1,9 @@
# short-description: Qemu-amd64 with Efibootguard and SWUpdate
# long-description: Disk image for qemu-amd64 with EFI Boot Guard and SWUpdate
+include ebg-signed-bootloader.inc
+
+# EFI Boot Guard environment/config partitions plus Kernel files
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
+part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT1 --align 1024 --part-type=0700 --sourceparams "revision=1,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
-include ebg-sysparts.inc
include swupdate-partition.inc
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5007): https://lists.cip-project.org/g/cip-dev/message/5007
Mute This Topic: https://lists.cip-project.org/mt/75767905/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v3 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 0/6] secureboot with efibootguard Quirin Gylstorff
` (3 preceding siblings ...)
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 4/6] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
@ 2020-07-24 15:01 ` Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 6/6] doc: Add README for secureboot Quirin Gylstorff
5 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-07-24 15:01 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 8166 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Use the Debian snakeoil keys to have a demo case available without
the OVMF setup. Copy the used keys from the build to the deploy
directory to allow usage in non-Debian distributions.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
conf/distro/debian-buster-backports.list | 1 +
conf/distro/preferences.ovmf-snakeoil.conf | 3 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 28 +++++++++++++++
.../ebg-secure-boot-snakeoil_0.1.bb | 35 ++++++++++++++++++
.../files/control.tmpl | 12 +++++++
.../files/sign_secure_image.sh | 36 +++++++++++++++++++
.../ovmf-binaries/files/control.tmpl | 11 ++++++
.../ovmf-binaries/ovmf-binaries_0.1.bb | 30 ++++++++++++++++
start-qemu.sh | 4 +--
9 files changed, 158 insertions(+), 2 deletions(-)
create mode 100644 conf/distro/debian-buster-backports.list
create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf
create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl
create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
diff --git a/conf/distro/debian-buster-backports.list b/conf/distro/debian-buster-backports.list
new file mode 100644
index 0000000..f2dd104
--- /dev/null
+++ b/conf/distro/debian-buster-backports.list
@@ -0,0 +1 @@
+deb http://ftp.us.debian.org/debian buster-backports main contrib non-free
diff --git a/conf/distro/preferences.ovmf-snakeoil.conf b/conf/distro/preferences.ovmf-snakeoil.conf
new file mode 100644
index 0000000..b51d1d4
--- /dev/null
+++ b/conf/distro/preferences.ovmf-snakeoil.conf
@@ -0,0 +1,3 @@
+Package: ovmf
+Pin: release n=buster-backports
+Pin-Priority: 801
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
new file mode 100644
index 0000000..cda8177
--- /dev/null
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -0,0 +1,28 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+ includes:
+ - ebg-secure-boot-base.yml
+
+
+local_conf_header:
+ secure-boot: |
+ # Add snakeoil and ovmf binaries for qemu
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
+ IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
+ WKS_FILE = "${MACHINE}-${BOOTLOADER}-secureboot.wks"
+
+ ovmf: |
+ # snakeoil certs are only part of backports
+ DISTRO_APT_SOURCES_append = " conf/distro/debian-buster-backports.list"
+ DISTRO_APT_PREFERENCES_append = " conf/distro/preferences.ovmf-snakeoil.conf"
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
new file mode 100644
index 0000000..89abbcf
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
@@ -0,0 +1,35 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Add script to sign for secure boot with the debian snakeoil keys"
+# used to sign the image
+DEBIAN_DEPENDS = "pesign, sbsigntool, ovmf, openssl, libnss3-tools"
+
+
+# this package cannot be install together with:
+DEBIAN_CONFLICTS = "ebg-secure-boot-secrets"
+
+SRC_URI = "file://sign_secure_image.sh \
+ file://control.tmpl"
+
+TEMPLATE_FILES = "control.tmpl"
+TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
+
+do_install() {
+ TARGET=${D}/usr/bin
+ install -d ${TARGET}
+ install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
+}
+
+addtask do_install after do_transform_template
+
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
new file mode 100644
index 0000000..8361a49
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
@@ -0,0 +1,12 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: ${MAINTAINER}
+Build-Depends: debhelper (>= 9)
+
+Package: ${PN}
+Architecture: ${DPKG_ARCH}
+Depends: ${DEBIAN_DEPENDS}
+Description: ${DESCRIPTION}
+Conflicts: ${DEBIAN_CONFLICTS}
diff --git a/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
new file mode 100644
index 0000000..081dbe9
--- /dev/null
+++ b/recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+set -e
+set -x
+signee=$1
+signed=$2
+
+usage(){
+ echo "sign with debian snakeoil"
+ echo "$0 signee signed"
+ echo "signee: path to the image to be signed"
+ echo "signed: path to store the signed image"
+}
+
+
+if [ -z "$signee" ] || [ -z "$signed" ]; then
+ usage
+ exit 1
+fi
+
+name=snakeoil
+keydir=$(mktemp -d)
+inkey=/usr/share/ovmf/PkKek-1-snakeoil.key
+incert=/usr/share/ovmf/PkKek-1-snakeoil.pem
+nick_name=snakeoil
+TMP=$(mktemp -d)
+mkdir -p ${keydir}/${name}certdb
+certutil -N --empty-password -d ${keydir}/${name}certdb
+openssl pkcs12 -export -passin pass:"snakeoil" -passout pass: -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name
+pk12util -W "" -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb
+cp $incert ${keydir}/$(basename $incert)
+rm -rf $TMP
+
+pesign --force --verbose --padding -n ${keydir}/${name}certdb -c "$nick_name" -s -i $signee -o $signed
+sbverify --cert $incert $signed
+rm -rf $keydir
+exit 0
diff --git a/recipes-devtools/ovmf-binaries/files/control.tmpl b/recipes-devtools/ovmf-binaries/files/control.tmpl
new file mode 100644
index 0000000..54641d6
--- /dev/null
+++ b/recipes-devtools/ovmf-binaries/files/control.tmpl
@@ -0,0 +1,11 @@
+Source: ${PN}
+Section: misc
+Priority: optional
+Standards-Version: 3.9.6
+Maintainer: ${MAINTAINER}
+Build-Depends: debhelper (>= 9), ${DEBIAN_BUILD_DEPENDS}
+
+Package: ${PN}
+Architecture: ${DPKG_ARCH}
+Depends: ${DEBIAN_DEPENDS}
+Description: ${DESCRIPTION}
diff --git a/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb b/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
new file mode 100644
index 0000000..025b970
--- /dev/null
+++ b/recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
@@ -0,0 +1,30 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Copy the OVMF biniaries from the build changeroot to the deploy dir"
+
+# this is a empty debian package
+SRC_URI = "file://control.tmpl"
+
+DEBIAN_BUILD_DEPENDS = "ovmf"
+TEMPLATE_FILES = "control.tmpl"
+TEMPLATE_VARS += "PN DEBIAN_DEPENDS MAINTAINER DESCRIPTION DPKG_ARCH DEBIAN_BUILD_DEPENDS"
+
+
+do_extract_ovmf() {
+ install -m 0755 -d ${DEPLOY_DIR_IMAGE}
+ cp -r ${BUILDCHROOT_DIR}/usr/share/OVMF ${DEPLOY_DIR_IMAGE}
+ chown $(id -u):$(id -g) ${DEPLOY_DIR_IMAGE}/OVMF
+}
+
+addtask do_extract_ovmf after do_install_builddeps before do_dpkg_build
diff --git a/start-qemu.sh b/start-qemu.sh
index 74d1b54..3a3b2f7 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -94,8 +94,8 @@ fi
if [ -n "SECURE_BOOT" ]; then
- ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
- ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
+ ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd}
+ ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS.snakeoil.fd}
QEMU_EXTRA_ARGS=" \
${QEMU_EXTRA_ARGS} \
-global ICH9-LPC.disable_s3=1 \
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5008): https://lists.cip-project.org/g/cip-dev/message/5008
Mute This Topic: https://lists.cip-project.org/mt/75767906/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [cip-dev] [isar-cip-core PATCH v3 6/6] doc: Add README for secureboot
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 0/6] secureboot with efibootguard Quirin Gylstorff
` (4 preceding siblings ...)
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
@ 2020-07-24 15:01 ` Quirin Gylstorff
5 siblings, 0 replies; 29+ messages in thread
From: Quirin Gylstorff @ 2020-07-24 15:01 UTC (permalink / raw)
To: cip-dev, Jan.Kiszka; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 9584 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
doc/README.secureboot.md | 229 +++++++++++++++++++++++++++++++++++++++
1 file changed, 229 insertions(+)
create mode 100644 doc/README.secureboot.md
diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
new file mode 100644
index 0000000..d79248b
--- /dev/null
+++ b/doc/README.secureboot.md
@@ -0,0 +1,229 @@
+# Efibootguard Secure boot
+
+This document describes how to generate a secure boot capable image with
+[efibootguard](https://github.com/siemens/efibootguard).
+
+## Description
+
+The image build signs the efibootguard bootloader (bootx64.efi) and generates
+a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
+A unified kernel image packs the kernel, initramfs and the kernel command-line
+in one binary object. As the kernel command-line is immutable after the build
+process, the previous selection of the root file system with a command-line parameter is no longer
+possible. Therefore the selection of the root file-system occurs now in the initramfs.
+
+The image uses an A/B partition layout to update the root file system. The sample implementation to
+select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs.
+During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs.
+If a match is found the rootfs is used for the boot.
+
+## Adaptation for Images
+
+### WIC
+The following elements must be present in a wks file to create a secure boot capable image.
+
+```
+part --source efibootguard-efi --sourceparams "signwith=<script or executable to sign the image>"
+part --source efibootguard-boot --sourceparams "uefikernel=<name of the unified kernel>,signwith=<script or executable to sign the image>"
+```
+
+#### Script or executable to sign the image
+
+The wic plugins for the [bootloader](./scripts/lib/wic/plugins/source/efibootguard-efi.py)
+and [boot partition](./scripts/lib/wic/plugins/source/efibootguard-boot.py) require an
+executable or script with the following interface:
+```
+<script_name> <inputfile> <outputfile>
+```
+- script name: name and path of the script added with
+`--sourceparams "signwith=/usr/bin/sign_secure_image.sh"` to the wic image
+- inputfile: path and name of the file to be signed
+- outputfile: path and name of the signed input
+
+Supply the script name and path to wic by adding
+`signwith=<path and name of the script to sign>"` to sourceparams of the partition.
+
+
+### Existing packages to sign an image
+
+#### ebg-secure-boot-snakeoil
+
+This package uses the snakeoil key and certificate from the ovmf package(0.0~20200229-2)
+backported from Debian bullseye and signs the image.
+
+#### ebg-secure-boot-secrets
+This package takes a user-generated certificate and adds it to the build system.
+The following variable and steps are necessary to build a secure boot capable image:
+- Set certification information to sign and verify the image with:
+ - SB_CERTDB: The directory containing the certificate database create with certutil
+ - SB_VERIFY_CERT: The certificate to verify the signing process
+ - SB_KEY_NAME: Name of the key in the certificate database
+- if necessary change the script to select the boot partition after an update
+ - recipes-support/initramfs-config/files/initramfs.selectrootfs.script
+
+The files referred by SB_CERTDB and SB_VERIFY_CERT must be store in `recipes-devtools/ebg-secure-boot-secrets/files/`
+
+## QEMU
+
+Set up a secure boot test environment with [QEMU](https://www.qemu.org/)
+
+### Prerequisites
+
+- OVMF from edk2 release edk2-stable201911 or newer
+ - This documentation was tested under Debian 10 with OVMF (0.0~20200229-2) backported from Debian
+ bullseye
+- efitools for KeyTool.efi
+ - This documentation was tested under Debian 10 with efitools (1.9.2-1) backported from Debian bullseye
+- libnss3-tools
+
+### Debian Snakeoil keys
+
+The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images/<machine>/OVMF. Y
+u can use them as described in section [Start Image](### Start the image).
+
+### Generate Keys
+
+#### Reuse exiting keys
+
+It is possible to use exiting keys like /usr/share/ovmf/PkKek-1-snakeoil.pem' from Debian
+by executing the script `scripts/generate-sb-db-from-existing-certificate.sh`, e.g.:
+```
+export SB_NAME=<name for the secureboot config>
+export SB_KEYDIR=<location to store the database>
+export INKEY=<secret key of the certificate>
+export INCERT=<certificate>
+export INNICK=<name of the certificate in the database>
+scripts/generate-sb-db-from-existing-certificate.sh
+```
+This will create the directory `SB_KEYDIR` and will store the `${SB_NAME}certdb` with the given name.
+
+Copy the used certificate and database to `recipes-devtools/ebg-secure-boot-secrets/files/`
+
+#### Generate keys
+
+To generate the necessary keys and information to test secure-boot with QEMU
+execute the script `scripts/generate_secure_boot_keys.sh`
+
+##### Add Keys to OVMF
+1. Create a folder and copy the generated keys and KeyTool.efi
+(in Debian the file can be found at: /lib/efitools/x86_64-linux-gnu/KeyTool.efi) to the folder
+```
+mkdir secureboot-tools
+cp -r keys secureboot-tools
+cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi secureboot-tools
+```
+2. Copy the file OVMF_VARS.fd (in Debian the file can be found at /usr/share/OVMF/OVMF_VARS.fd)
+to the current directory. OVMF_VARS.fd contains no keys can be instrumented for secureboot.
+3. Start QEMU with the script scripts/start-efishell.sh
+```
+scripts/start-efishell.sh secureboot-tools
+```
+4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+ -> "Edit Keys"
+ -> "The Allowed Signatures Database (db)"
+ -> "Add New Key"
+ -> Change/Confirm device
+ -> Select "DB.esl" file
+ -> "The Key Exchange Key Database (KEK)"
+ -> "Add New Key"
+ -> Change/Confirm device
+ -> Select "KEK.esl" file
+ -> "The Platform Key (PK)
+ -> "Replace Key(s)"
+ -> Change/Confirm device
+ -> Select "PK.auth" file
+5. quit QEMU
+
+### Build image
+
+Build the image with a signed efibootguard and unified kernel image
+with the snakeoil keys by executing:
+```
+kas-docker --isar build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
+```
+
+For user-generated keys, create a new option file. This option file could look like this:
+```
+header:
+ version: 8
+ includes:
+ - opt/ebg-swu.yml
+ - opt/ebg-secure-boot-initramfs.yml
+
+local_conf_header:
+ secure-boot: |
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
+ IMAGER_INSTALL += "ebg-secure-boot-secrets"
+ user-keys:
+ SB_CERTDB = "democertdb"
+ SB_VERIFY_CERT = "demo.crt"
+ SB_KEY_NAME = "demo"
+```
+
+Replace `demo` with the name of the user-generated certificates.
+
+### Start the image
+
+#### Debian snakeoil
+
+Start the image with the following command:
+```
+SECURE_BOOT=y \
+./start-qemu.sh amd64
+```
+
+The default `OVMF_VARS.snakeoil.fd` boot to the EFI shell. To boot Linux enter the following command:
+```
+FS0:\EFI\BOOT\bootx64.efi
+```
+To change the boot behavior, enter `exit` in the shell to enter the bios and change the boot order.
+
+#### User-generated keys
+Start the image with the following command:
+```
+SECURE_BOOT=y \
+OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd \
+OVMF_VARS=<path to the modified OVMF_VARS.fd> \
+./start-qemu.sh amd64
+```
+# Example: Update the image
+
+For updating the image, the following steps are necessary:
+- [Build the image with snakeoil keys](### Build image)
+- save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-buster-qemu-amd64.swu` to /tmp
+- modify the image for example add a new version to the image by adding `PV=2.0.0` to
+ [cip-core-image.bb](recipes-core/images/cip-core-image.bb)
+- start the new target and copy the swu `cip-core-image-cip-core-buster-qemu-amd64.swu`
+ to the running system, e.g.:
+```
+SECURE=y ./start-qemu.sh amd64 -virtfs local,path=/tmp,mount_tag=host0,security_model=passthrough,id=host0
+```
+- mount `host0` on target with:
+```
+mount -t 9p -o trans=virtio,version=9p2000.L host0 /mnt
+```
+- check which partition is booted, e.g. with `lsblk`:
+```
+root@demo:/mnt# lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+sda 8:0 0 2G 0 disk
+├─sda1 8:1 0 16.4M 0 part
+├─sda2 8:2 0 32M 0 part
+├─sda3 8:3 0 32M 0 part
+├─sda4 8:4 0 1000M 0 part /
+└─sda5 8:5 0 1000M 0 part
+```
+
+- install with `swupdate -i /mnt/cip-core-image-cip-core-buster-qemu-amd64.swu`
+- reboot
+- check which partition is booted, e.g. with `lsblk`. The rootfs should have changed:
+```
+root@demo:~# lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
+sda 8:0 0 2G 0 disk
+├─sda1 8:1 0 16.4M 0 part
+├─sda2 8:2 0 32M 0 part
+├─sda3 8:3 0 32M 0 part
+├─sda4 8:4 0 1000M 0 part
+└─sda5 8:5 0 1000M 0 part /
+```
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5009): https://lists.cip-project.org/g/cip-dev/message/5009
Mute This Topic: https://lists.cip-project.org/mt/75767907/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 29+ messages in thread
* Re: [cip-dev] [isar-cip-core PATCH v3 1/6] kernel: add fat for qemu-amd64
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 1/6] kernel: add fat for qemu-amd64 Quirin Gylstorff
@ 2020-07-29 16:47 ` Jan Kiszka
2020-07-30 1:56 ` Daniel Sangorrin
0 siblings, 1 reply; 29+ messages in thread
From: Jan Kiszka @ 2020-07-29 16:47 UTC (permalink / raw)
To: cip-dev, Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 1210 bytes --]
On 24.07.20 17:01, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Add a fat configuration to access FAT Partitions on the qemu-amd64
> target.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> recipes-kernel/linux/files/qemu-amd64_defconfig | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/recipes-kernel/linux/files/qemu-amd64_defconfig b/recipes-kernel/linux/files/qemu-amd64_defconfig
> index 7487152..5449317 100644
> --- a/recipes-kernel/linux/files/qemu-amd64_defconfig
> +++ b/recipes-kernel/linux/files/qemu-amd64_defconfig
> @@ -351,3 +351,9 @@ CONFIG_CRYPTO_DEV_CCP=y
> # CONFIG_XZ_DEC_ARM is not set
> # CONFIG_XZ_DEC_ARMTHUMB is not set
> # CONFIG_XZ_DEC_SPARC is not set
> +CONFIG_MSDOS_FS=y
> +CONFIG_VFAT_FS=y
> +CONFIG_NLS_ASCII=y
> +CONFIG_NLS_CODEPAGE_437=y
> +CONFIG_NLS_ISO8859_1=y
> +CONFIG_NLS_UTF8=y
>
Taking that for now, but we should quickly move that defconfig into
cip-kernel-config. I'm not sure if there is anything for qemu already.
Could you check an propose our defconfig for it?
Jan
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5048): https://lists.cip-project.org/g/cip-dev/message/5048
Mute This Topic: https://lists.cip-project.org/mt/75767901/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [cip-dev] [isar-cip-core PATCH v3 4/6] secure-boot: Add secure boot with unified kernel image
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 4/6] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
@ 2020-07-29 17:05 ` Jan Kiszka
0 siblings, 0 replies; 29+ messages in thread
From: Jan Kiszka @ 2020-07-29 17:05 UTC (permalink / raw)
To: cip-dev, Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 3722 bytes --]
On 24.07.20 17:01, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> A unified kernel image contains the os-release, kernel,
> kernel commandline, initramfs and efi-stub in one binary.
> This binary can be boot by systemd-boot and efibootguard.
> It also allows to sign kernel and initramfs as one packages.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
...
> diff --git a/start-qemu.sh b/start-qemu.sh
> index 49f0266..74d1b54 100755
> --- a/start-qemu.sh
> +++ b/start-qemu.sh
> @@ -15,6 +15,8 @@ usage()
> echo "Usage: $0 ARCHITECTURE [QEMU_OPTIONS]"
> echo -e "\nSet QEMU_PATH environment variable to use a locally " \
> "built QEMU version"
> + echo -e "\nSet SECURE_BOOT environment variable to boot a secure boot environment " \
> + "This environment also needs the variables OVMF_VARS and OVMF_CODE set"
> exit 1
> }
>
> @@ -22,17 +24,25 @@ if [ -n "${QEMU_PATH}" ]; then
> QEMU_PATH="${QEMU_PATH}/"
> fi
>
> +if [ -z "${DISTRO_RELEASE}" ]; then
> + DISTRO_RELEASE="buster"
> +fi
> +if [ -z "${TARGET_IMAGE}" ];then
> + TARGET_IMAGE="cip-core-image"
> +fi
> +
> case "$1" in
> x86|x86_64|amd64)
> DISTRO_ARCH=amd64
> QEMU=qemu-system-x86_64
> QEMU_EXTRA_ARGS=" \
> - -cpu host -smp 4 \
> - -enable-kvm -machine q35 \
> + -cpu qemu64 \
> + -smp 4 \
> + -machine q35,accel=kvm:tcg \
> -device ide-hd,drive=disk \
> -device virtio-net-pci,netdev=net"
> KERNEL_CMDLINE=" \
> - root=/dev/sda vga=0x305 console=ttyS0"
> + root=/dev/sda vga=0x305"
> ;;
> arm64|aarch64)
> DISTRO_ARCH=arm64
> @@ -71,21 +81,41 @@ case "$1" in
> ;;
> esac
>
> -if [ -z "${DISTRO_RELEASE}" ]; then
> - DISTRO_RELEASE="buster"
> -fi
> -
> -IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/cip-core-image-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
> -IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
> +IMAGE_PREFIX="$(dirname $0)/build/tmp/deploy/images/qemu-${DISTRO_ARCH}/${TARGET_IMAGE}-cip-core-${DISTRO_RELEASE}-qemu-${DISTRO_ARCH}"
>
> if [ -z "${DISPLAY}" ]; then
> QEMU_EXTRA_ARGS="${QEMU_EXTRA_ARGS} -nographic"
> + case "$1" in
> + x86|x86_64|amd64)
> + KERNEL_CMDLINE="${KERNEL_CMDLINE} console=ttyS0"
> + esac
> +fi
> +
> +
> +
> +if [ -n "SECURE_BOOT" ]; then
> + ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd}
> + ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd}
> + QEMU_EXTRA_ARGS=" \
> + ${QEMU_EXTRA_ARGS} \
> + -global ICH9-LPC.disable_s3=1 \
> + -global isa-fdc.driveA= \
> + "
Looks like someone fell asleep on the tab key - please indent more
reasonably.
> + BOOT_FILES="-drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \
> + -drive if=pflash,format=raw,file=${ovmf_vars} \
> + -drive file=${IMAGE_PREFIX}.wic.img,discard=unmap,if=none,id=disk,format=raw"
> +else
> + IMAGE_FILE=$(ls ${IMAGE_PREFIX}.ext4.img)
> +
> + KERNEL_FILE=$(ls ${IMAGE_PREFIX}-vmlinuz* | tail -1)
> + INITRD_FILE=$(ls ${IMAGE_PREFIX}-initrd.img* | tail -1)
> +
> + BOOT_FILES=-kernel ${KERNEL_FILE} -append "${KERNEL_CMDLINE}" \
> + -initrd ${INITRD_FILE}
> fi
>
> shift 1
>
> ${QEMU_PATH}${QEMU} \
> - -drive file=${IMAGE_FILE},discard=unmap,if=none,id=disk,format=raw \
> -m 1G -serial mon:stdio -netdev user,id=net \
> - -kernel ${IMAGE_PREFIX}-vmlinuz -append "${KERNEL_CMDLINE}" \
> - -initrd ${IMAGE_PREFIX}-initrd.img ${QEMU_EXTRA_ARGS} "$@"
> + ${BOOT_FILES} ${QEMU_EXTRA_ARGS} "$@"
This file is in conflict with changes in next. Please rebase.
Jan
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5050): https://lists.cip-project.org/g/cip-dev/message/5050
Mute This Topic: https://lists.cip-project.org/mt/75767905/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [cip-dev] [isar-cip-core PATCH v3 1/6] kernel: add fat for qemu-amd64
2020-07-29 16:47 ` Jan Kiszka
@ 2020-07-30 1:56 ` Daniel Sangorrin
2020-07-30 5:56 ` Jan Kiszka
0 siblings, 1 reply; 29+ messages in thread
From: Daniel Sangorrin @ 2020-07-30 1:56 UTC (permalink / raw)
To: cip-dev, quirin.gylstorff; +Cc: jan.kiszka
[-- Attachment #1: Type: text/plain, Size: 1753 bytes --]
> -----Original Message-----
> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Jan Kiszka
> Sent: Thursday, July 30, 2020 1:47 AM
> To: cip-dev@lists.cip-project.org; Quirin Gylstorff <quirin.gylstorff@siemens.com>
> Subject: Re: [cip-dev] [isar-cip-core PATCH v3 1/6] kernel: add fat for qemu-amd64
>
> On 24.07.20 17:01, Quirin Gylstorff wrote:
> > From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> >
> > Add a fat configuration to access FAT Partitions on the qemu-amd64
> > target.
> >
> > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> > ---
> > recipes-kernel/linux/files/qemu-amd64_defconfig | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/recipes-kernel/linux/files/qemu-amd64_defconfig
> > b/recipes-kernel/linux/files/qemu-amd64_defconfig
> > index 7487152..5449317 100644
> > --- a/recipes-kernel/linux/files/qemu-amd64_defconfig
> > +++ b/recipes-kernel/linux/files/qemu-amd64_defconfig
> > @@ -351,3 +351,9 @@ CONFIG_CRYPTO_DEV_CCP=y
> > # CONFIG_XZ_DEC_ARM is not set
> > # CONFIG_XZ_DEC_ARMTHUMB is not set
> > # CONFIG_XZ_DEC_SPARC is not set
> > +CONFIG_MSDOS_FS=y
> > +CONFIG_VFAT_FS=y
> > +CONFIG_NLS_ASCII=y
> > +CONFIG_NLS_CODEPAGE_437=y
> > +CONFIG_NLS_ISO8859_1=y
> > +CONFIG_NLS_UTF8=y
> >
>
> Taking that for now, but we should quickly move that defconfig into cip-kernel-config. I'm not sure if there is anything for qemu already.
> Could you check an propose our defconfig for it?
I confirmed that cip-kernel-config's qemu config boots correctly with isar-cip-core's start_qemu.sh.
Shall i prepare a patch that removes the local one and picks up the one from cip-kernel-config.
Thanks,
Daniel
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5056): https://lists.cip-project.org/g/cip-dev/message/5056
Mute This Topic: https://lists.cip-project.org/mt/75767901/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [cip-dev] [isar-cip-core PATCH v3 1/6] kernel: add fat for qemu-amd64
2020-07-30 1:56 ` Daniel Sangorrin
@ 2020-07-30 5:56 ` Jan Kiszka
0 siblings, 0 replies; 29+ messages in thread
From: Jan Kiszka @ 2020-07-30 5:56 UTC (permalink / raw)
To: daniel.sangorrin, cip-dev, quirin.gylstorff
[-- Attachment #1: Type: text/plain, Size: 1987 bytes --]
On 30.07.20 03:56, daniel.sangorrin@toshiba.co.jp wrote:
>> -----Original Message-----
>> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Jan Kiszka
>> Sent: Thursday, July 30, 2020 1:47 AM
>> To: cip-dev@lists.cip-project.org; Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> Subject: Re: [cip-dev] [isar-cip-core PATCH v3 1/6] kernel: add fat for qemu-amd64
>>
>> On 24.07.20 17:01, Quirin Gylstorff wrote:
>>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>>
>>> Add a fat configuration to access FAT Partitions on the qemu-amd64
>>> target.
>>>
>>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>> ---
>>> recipes-kernel/linux/files/qemu-amd64_defconfig | 6 ++++++
>>> 1 file changed, 6 insertions(+)
>>>
>>> diff --git a/recipes-kernel/linux/files/qemu-amd64_defconfig
>>> b/recipes-kernel/linux/files/qemu-amd64_defconfig
>>> index 7487152..5449317 100644
>>> --- a/recipes-kernel/linux/files/qemu-amd64_defconfig
>>> +++ b/recipes-kernel/linux/files/qemu-amd64_defconfig
>>> @@ -351,3 +351,9 @@ CONFIG_CRYPTO_DEV_CCP=y
>>> # CONFIG_XZ_DEC_ARM is not set
>>> # CONFIG_XZ_DEC_ARMTHUMB is not set
>>> # CONFIG_XZ_DEC_SPARC is not set
>>> +CONFIG_MSDOS_FS=y
>>> +CONFIG_VFAT_FS=y
>>> +CONFIG_NLS_ASCII=y
>>> +CONFIG_NLS_CODEPAGE_437=y
>>> +CONFIG_NLS_ISO8859_1=y
>>> +CONFIG_NLS_UTF8=y
>>>
>>
>> Taking that for now, but we should quickly move that defconfig into cip-kernel-config. I'm not sure if there is anything for qemu already.
>> Could you check an propose our defconfig for it?
>
> I confirmed that cip-kernel-config's qemu config boots correctly with isar-cip-core's start_qemu.sh.
> Shall i prepare a patch that removes the local one and picks up the one from cip-kernel-config.
>
That would be good.
If needed, Quirin, please patch cip-kernel-config directly for these
extra switches.
Jan
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5058): https://lists.cip-project.org/g/cip-dev/message/5058
Mute This Topic: https://lists.cip-project.org/mt/75767901/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 29+ messages in thread
end of thread, other threads:[~2020-07-30 5:56 UTC | newest]
Thread overview: 29+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-25 14:10 [cip-dev] [isar-cip-core RFC 0/7] secureboot with efibootguard Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 1/7] kernel: add fat for qemu-amd64 Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 2/7] isar-patch: Add initramfs-config patch Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 3/7] secure-boot: select boot partition in initramfs Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 4/7] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 5/7] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 6/7] swupdate: Add luahandler for secureboot Quirin Gylstorff
2020-06-29 8:14 ` Jan Kiszka
2020-06-29 9:01 ` Quirin Gylstorff
2020-06-25 14:10 ` [cip-dev] [isar-cip-core RFC 7/7] doc: Add README " Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 0/6] secureboot with efibootguard Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 1/6] kernel: add fat for qemu-amd64 Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 2/6] isar-patch: Add initramfs-config patch Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 3/6] secure-boot: select boot partition in initramfs Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 4/6] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
2020-06-29 12:53 ` [cip-dev] [isar-cip-core PATCH v2 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
2020-06-29 12:54 ` [cip-dev] [isar-cip-core PATCH v2 6/6] doc: Add README for secureboot Quirin Gylstorff
2020-06-29 13:54 ` Jan Kiszka
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 0/6] secureboot with efibootguard Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 1/6] kernel: add fat for qemu-amd64 Quirin Gylstorff
2020-07-29 16:47 ` Jan Kiszka
2020-07-30 1:56 ` Daniel Sangorrin
2020-07-30 5:56 ` Jan Kiszka
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 2/6] isar-patch: Add initramfs-config patch Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 3/6] secure-boot: select boot partition in initramfs Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 4/6] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
2020-07-29 17:05 ` Jan Kiszka
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
2020-07-24 15:01 ` [cip-dev] [isar-cip-core PATCH v3 6/6] doc: Add README for secureboot Quirin Gylstorff
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.