* [cip-dev] [isar-cip-core][PATCH v2 0/2] Secureboot fixes
@ 2020-11-30 14:48 Quirin Gylstorff
2020-11-30 14:48 ` [cip-dev] [isar-cip-core][PATCH v2 1/2] start-qemu.sh: Change OVMF binary names Quirin Gylstorff
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Quirin Gylstorff @ 2020-11-30 14:48 UTC (permalink / raw)
To: Jan.Kiszka, cip-dev; +Cc: Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 666 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Adapt OVMF binaries to new upstream names.
Repeat scan for rootfs until udev finished populating /dev or a timeout occurs.
Build at:
https://gitlab.com/Quirin.Gy/isar-cip-core/-/pipelines/223158898
--
Changes Version 2:
- fix author and commit message
Vijai Kumar K (2):
start-qemu.sh: Change OVMF binary names
Secureboot: Wait until udev populates /dev
doc/README.secureboot.md | 12 +-
.../files/secure-boot-debian-local-patch | 104 +++++++++++-------
start-qemu.sh | 4 +-
3 files changed, 72 insertions(+), 48 deletions(-)
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 420 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5902): https://lists.cip-project.org/g/cip-dev/message/5902
Mute This Topic: https://lists.cip-project.org/mt/78609367/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 4+ messages in thread
* [cip-dev] [isar-cip-core][PATCH v2 1/2] start-qemu.sh: Change OVMF binary names
2020-11-30 14:48 [cip-dev] [isar-cip-core][PATCH v2 0/2] Secureboot fixes Quirin Gylstorff
@ 2020-11-30 14:48 ` Quirin Gylstorff
2020-11-30 14:48 ` [cip-dev] [isar-cip-core][PATCH v2 2/2] Secureboot: Wait until udev populates /dev Quirin Gylstorff
2020-11-30 18:41 ` [cip-dev] [isar-cip-core][PATCH v2 0/2] Secureboot fixes Jan Kiszka
2 siblings, 0 replies; 4+ messages in thread
From: Quirin Gylstorff @ 2020-11-30 14:48 UTC (permalink / raw)
To: Jan.Kiszka, cip-dev; +Cc: Vijai Kumar K, Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 3376 bytes --]
From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
Upstream changed the names of the OVMF binaries as
```
The existing 2MB images no longer have sufficient variable space for the
current Secure Boot Forbidden Signature Database.
```
Reference:
https://salsa.debian.org/qemu-team/edk2/-/commit/72d8cee9648dd79852ea976e6a8eac0727c27b7f
https://salsa.debian.org/qemu-team/edk2/-/commit/27f786b5fdd126b09c4e732429cc8a30191b72e6
Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
doc/README.secureboot.md | 12 ++++++------
start-qemu.sh | 4 ++--
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index d79248b..4c4ab41 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -78,8 +78,8 @@ Set up a secure boot test environment with [QEMU](https://www.qemu.org/)
### Debian Snakeoil keys
-The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images/<machine>/OVMF. Y
-u can use them as described in section [Start Image](### Start the image).
+The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images/<machine>/OVMF.
+You can use them as described in section [Start Image](### Start the image).
### Generate Keys
@@ -112,8 +112,8 @@ mkdir secureboot-tools
cp -r keys secureboot-tools
cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi secureboot-tools
```
-2. Copy the file OVMF_VARS.fd (in Debian the file can be found at /usr/share/OVMF/OVMF_VARS.fd)
-to the current directory. OVMF_VARS.fd contains no keys can be instrumented for secureboot.
+2. Copy the file OVMF_VARS_4M.fd (in Debian the file can be found at /usr/share/OVMF/OVMF_VARS_4M.fd)
+to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented for secureboot.
3. Start QEMU with the script scripts/start-efishell.sh
```
scripts/start-efishell.sh secureboot-tools
@@ -172,7 +172,7 @@ SECURE_BOOT=y \
./start-qemu.sh amd64
```
-The default `OVMF_VARS.snakeoil.fd` boot to the EFI shell. To boot Linux enter the following command:
+The default `OVMF_VARS.snakeoil_4M.fd` boot to the EFI shell. To boot Linux enter the following command:
```
FS0:\EFI\BOOT\bootx64.efi
```
@@ -182,7 +182,7 @@ To change the boot behavior, enter `exit` in the shell to enter the bios and cha
Start the image with the following command:
```
SECURE_BOOT=y \
-OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd \
+OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd \
OVMF_VARS=<path to the modified OVMF_VARS.fd> \
./start-qemu.sh amd64
```
diff --git a/start-qemu.sh b/start-qemu.sh
index e53cd99..6592ac6 100755
--- a/start-qemu.sh
+++ b/start-qemu.sh
@@ -94,8 +94,8 @@ fi
shift 1
if [ -n "${SECURE_BOOT}" ]; then
- ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE.secboot.fd}
- ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS.snakeoil.fd}
+ ovmf_code=${OVMF_CODE:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secboot.fd}
+ ovmf_vars=${OVMF_VARS:-./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_VARS_4M.snakeoil.fd}
QEMU_EXTRA_ARGS=" ${QEMU_EXTRA_ARGS} \
-global ICH9-LPC.disable_s3=1 \
-global isa-fdc.driveA= "
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 420 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5903): https://lists.cip-project.org/g/cip-dev/message/5903
Mute This Topic: https://lists.cip-project.org/mt/78609368/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [cip-dev] [isar-cip-core][PATCH v2 2/2] Secureboot: Wait until udev populates /dev
2020-11-30 14:48 [cip-dev] [isar-cip-core][PATCH v2 0/2] Secureboot fixes Quirin Gylstorff
2020-11-30 14:48 ` [cip-dev] [isar-cip-core][PATCH v2 1/2] start-qemu.sh: Change OVMF binary names Quirin Gylstorff
@ 2020-11-30 14:48 ` Quirin Gylstorff
2020-11-30 18:41 ` [cip-dev] [isar-cip-core][PATCH v2 0/2] Secureboot fixes Jan Kiszka
2 siblings, 0 replies; 4+ messages in thread
From: Quirin Gylstorff @ 2020-11-30 14:48 UTC (permalink / raw)
To: Jan.Kiszka, cip-dev; +Cc: Vijai Kumar K, Quirin Gylstorff
[-- Attachment #1: Type: text/plain, Size: 5310 bytes --]
From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
In actual physical targets like ipc227e, with the current initramfs
local file, the system drops to initramfs shell during boot.
This is due to "blkid -o device" returning empty list since the udev
has not yet created the necessary entries in /dev.
Add a timeout to reattempt finding a valid partition before giving up.
Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../files/secure-boot-debian-local-patch | 104 +++++++++++-------
1 file changed, 64 insertions(+), 40 deletions(-)
diff --git a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch
index 219578c..cd2d271 100644
--- a/recipes-support/initramfs-config/files/secure-boot-debian-local-patch
+++ b/recipes-support/initramfs-config/files/secure-boot-debian-local-patch
@@ -1,79 +1,103 @@
---- local 2020-07-02 14:59:15.461895194 +0200
-+++ ../../../../../../../../../../../recipes-support/initramfs-config/files/local 2020-07-02 14:58:58.405730914 +0200
+--- local.orig 2020-11-18 14:42:43.540055680 +0530
++++ local 2020-11-18 20:15:48.687164540 +0530
@@ -1,5 +1,4 @@
# Local filesystem mounting -*- shell-script -*-
-
local_top()
{
if [ "${local_top_used}" != "yes" ]; then
-@@ -155,34 +154,47 @@
- local_mount_root()
+@@ -152,36 +151,70 @@
+ DEV="${real_dev}"
+ }
+
+-local_mount_root()
++local_find_by_uuid()
{
- local_top
+- local_top
- if [ -z "${ROOT}" ]; then
- panic "No root device specified. Boot arguments must include a root= parameter."
- fi
- local_device_setup "${ROOT}" "root file system"
- ROOT="${DEV}"
--
++ partitions="$1"
+
- # Get the root filesystem type if not set
- if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
- FSTYPE=$(get_fstype "${ROOT}")
- else
- FSTYPE=${ROOTFSTYPE}
-+ if [ ! -e /conf/image_uuid ]; then
-+ panic "could not find image_uuid to select correct root file system"
- fi
-+ local INITRAMFS_IMAGE_UUID=$(cat /conf/image_uuid)
-+ local partitions=$(blkid -o device)
+- fi
+ for part in $partitions; do
-+ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
-+ local_device_setup "${part}" "root file system"
-+ ROOT="${DEV}"
++ if [ "$(blkid -p ${part} --match-types novfat -s USAGE -o value)" = "filesystem" ]; then
++ local_device_setup "${part}" "root file system"
++ ROOT="${DEV}"
+
-+ # Get the root filesystem type if not set
-+ if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
-+ FSTYPE=$(get_fstype "${ROOT}")
-+ else
-+ FSTYPE=${ROOTFSTYPE}
-+ fi
++ # Get the root filesystem type if not set
++ if [ -z "${ROOTFSTYPE}" ] || [ "${ROOTFSTYPE}" = auto ]; then
++ FSTYPE=$(get_fstype "${ROOT}")
++ else
++ FSTYPE=${ROOTFSTYPE}
++ fi
- local_premount
-+ local_premount
++ local_premount
- if [ "${readonly?}" = "y" ]; then
- roflag=-r
- else
- roflag=-w
- fi
-+ if [ "${readonly?}" = "y" ]; then
-+ roflag=-r
-+ else
-+ roflag=-w
-+ fi
-+ checkfs "${ROOT}" root "${FSTYPE}"
++ if [ "${readonly?}" = "y" ]; then
++ roflag=-r
++ else
++ roflag=-w
++ fi
++ checkfs "${ROOT}" root "${FSTYPE}"
- checkfs "${ROOT}" root "${FSTYPE}"
-+ # Mount root
-+ # shellcheck disable=SC2086
-+ if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
-+ if [ -e "${rootmnt?}"/etc/os-release ]; then
-+ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' )
-+ if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then
-+ return
-+ fi
-+ fi
-+ umount "${rootmnt?}"
++ # Mount root
++ # shellcheck disable=SC2086
++ if mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
++ if [ -e "${rootmnt?}"/etc/os-release ]; then
++ image_uuid=$(sed -n 's/^IMAGE_UUID=//p' "${rootmnt?}"/etc/os-release | tr -d '"' )
++ if [ "${INITRAMFS_IMAGE_UUID}" = "${image_uuid}" ]; then
++ return 0
++ fi
+ fi
++ umount "${rootmnt?}"
+ fi
++ fi
+ done
-+ panic "Could not find ROOTFS with matching UUID $INITRAMFS_IMAGE_UUID"
++ return 1
++}
- # Mount root
- # shellcheck disable=SC2086
- if ! mount ${roflag} ${FSTYPE:+-t "${FSTYPE}"} ${ROOTFLAGS} "${ROOT}" "${rootmnt?}"; then
- panic "Failed to mount ${ROOT} as root file system."
-- fi
++local_mount_root()
++{
++ local_top
++ if [ ! -e /conf/image_uuid ]; then
++ panic "could not find image_uuid to select correct root file system"
++ fi
++ local INITRAMFS_IMAGE_UUID=$(cat /conf/image_uuid)
++ local partitions=""
++ local ret=1
++ local timeout_uuid=0
++ while [ "${ret}" != 0 ] && [ "${timeout_uuid}" -le 10 ]; do
++ wait_for_udev 10
++ partitions=$(blkid -o device)
++ local_find_by_uuid "$partitions"
++ ret=$?
++ timeout_uuid="$(cat /proc/uptime)"
++ timeout_uuid="${timeout_uuid%%[. ]*}"
++ timeout_uuid=$((timeout_uuid - local_top_time))
++ done
++ if [ "${ret}" != 0 ]; then
++ panic "Could not find ROOTFS with matching UUID $INITRAMFS_IMAGE_UUID"
++ else
++ return $ret
+ fi
}
- local_mount_fs()
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 420 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5904): https://lists.cip-project.org/g/cip-dev/message/5904
Mute This Topic: https://lists.cip-project.org/mt/78609369/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [cip-dev] [isar-cip-core][PATCH v2 0/2] Secureboot fixes
2020-11-30 14:48 [cip-dev] [isar-cip-core][PATCH v2 0/2] Secureboot fixes Quirin Gylstorff
2020-11-30 14:48 ` [cip-dev] [isar-cip-core][PATCH v2 1/2] start-qemu.sh: Change OVMF binary names Quirin Gylstorff
2020-11-30 14:48 ` [cip-dev] [isar-cip-core][PATCH v2 2/2] Secureboot: Wait until udev populates /dev Quirin Gylstorff
@ 2020-11-30 18:41 ` Jan Kiszka
2 siblings, 0 replies; 4+ messages in thread
From: Jan Kiszka @ 2020-11-30 18:41 UTC (permalink / raw)
To: Q. Gylstorff, cip-dev
[-- Attachment #1: Type: text/plain, Size: 826 bytes --]
On 30.11.20 15:48, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> Adapt OVMF binaries to new upstream names.
> Repeat scan for rootfs until udev finished populating /dev or a timeout occurs.
> Build at:
> https://gitlab.com/Quirin.Gy/isar-cip-core/-/pipelines/223158898
>
> --
> Changes Version 2:
> - fix author and commit message
>
> Vijai Kumar K (2):
> start-qemu.sh: Change OVMF binary names
> Secureboot: Wait until udev populates /dev
>
> doc/README.secureboot.md | 12 +-
> .../files/secure-boot-debian-local-patch | 104 +++++++++++-------
> start-qemu.sh | 4 +-
> 3 files changed, 72 insertions(+), 48 deletions(-)
>
Thanks, applied.
Jan
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux
[-- Attachment #2: Type: text/plain, Size: 420 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5905): https://lists.cip-project.org/g/cip-dev/message/5905
Mute This Topic: https://lists.cip-project.org/mt/78609367/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-11-30 18:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-30 14:48 [cip-dev] [isar-cip-core][PATCH v2 0/2] Secureboot fixes Quirin Gylstorff
2020-11-30 14:48 ` [cip-dev] [isar-cip-core][PATCH v2 1/2] start-qemu.sh: Change OVMF binary names Quirin Gylstorff
2020-11-30 14:48 ` [cip-dev] [isar-cip-core][PATCH v2 2/2] Secureboot: Wait until udev populates /dev Quirin Gylstorff
2020-11-30 18:41 ` [cip-dev] [isar-cip-core][PATCH v2 0/2] Secureboot fixes Jan Kiszka
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).