From: "Jan Kiszka" <jan.kiszka@siemens.com>
To: "Q. Gylstorff" <Quirin.Gylstorff@siemens.com>,
cip-dev@lists.cip-project.org
Subject: Re: [cip-dev][isar-cip-core][PATCH v4 0/6] secureboot with efibootguard
Date: Fri, 21 Aug 2020 17:18:30 +0200 [thread overview]
Message-ID: <5636e8fc-839d-de07-1c17-30fce9efd905@siemens.com> (raw)
In-Reply-To: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com>
[-- Attachment #1: Type: text/plain, Size: 6904 bytes --]
On 21.08.20 11:55, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This patchset adds secureboot with efibootguard to cip-core.
>
> The image build signs the efibootguard bootloader (bootx64.efi) and generates
> a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
> A unified kernel image packs the kernel, initramfs and the kernel command-line
> in one binary object. As the kernel command-line is immutable after the build
> process, the previous selection of the root file system with a command-line parameter is no longer
> possible. Therefore the selection of the root file-system occurs now in the initramfs.
>
> The image uses an A/B partition layout to update the root file system. The sample implementation to
> select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs.
> During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs.
> If a match is found the rootfs is used for the boot.
>
> Changes V2:
>
> - rebase to [1]
> - removed luahandler patch as it now part of [1]
> - add handling for sw-description
>
> Changes V3:
>
> - rewrite the image id creation to ensure a new uuid is generated if a new package is
> added or another change of the rootfs
> - add readme section how to execute/test the software update mechnism
> - adapt to version v3 of [1]
> - update the patch
> - add wks file for efibootguard and swupdate
>
> [1]: a/b rootfsupdate with software update
>
> Changes V4:
>
> - rebase onto next 619edb509bd287277749580cbc842e57d5044756
> - fix indent of ./start-qemu.sh
> - whitespace fixes
> - update libubootenv patch to v2
> - update revision of cip-kernel-config to ca24d965adf77730caf1cd32bdfcffd69e369502
> to boot secureboot with qemu
> - swupdate swdescription for non-secure-boot images
>
> Quirin Gylstorff (6):
> linux-cip: Update revision of kernel config
> isar-patch: Add initramfs-config patch
> secure-boot: select boot partition in initramfs
> secure-boot: Add secure boot with unified kernel image
> secure-boot: Add Debian snakeoil keys for ease-of-use
> doc: Add README for secureboot
>
> classes/image_uuid.bbclass | 33 +++
> conf/distro/debian-buster-backports.list | 1 +
> conf/distro/preferences.ovmf-snakeoil.conf | 3 +
> doc/README.secureboot.md | 229 ++++++++++++++++++
> .../0001-u-boot-add-libubootenv.patch | 161 ++++++------
> ...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++
> kas-cip.yml | 3 +
> kas/opt/ebg-secure-boot-base.yml | 18 ++
> kas/opt/ebg-secure-boot-snakeoil.yml | 28 +++
> kas/opt/ebg-swu.yml | 4 +-
> recipes-core/images/cip-core-image.bb | 12 +-
> .../files/secure-boot/sw-description.tmpl | 29 +++
> recipes-core/images/files/sw-description.tmpl | 19 +-
> recipes-core/images/secureboot.inc | 21 ++
> recipes-core/images/swupdate.inc | 21 ++
> .../ebg-secure-boot-secrets_0.1.bb | 51 ++++
> .../ebg-secure-boot-secrets/files/README.md | 1 +
> .../files/control.tmpl | 12 +
> .../files/sign_secure_image.sh.tmpl | 22 ++
> .../ebg-secure-boot-snakeoil_0.1.bb | 34 +++
> .../files/control.tmpl | 12 +
> .../files/sign_secure_image.sh | 36 +++
> .../ovmf-binaries/files/control.tmpl | 11 +
> .../ovmf-binaries/ovmf-binaries_0.1.bb | 30 +++
> recipes-kernel/linux/linux-cip-common.inc | 2 +-
> .../files/initramfs.image_uuid.hook | 33 +++
> .../files/initramfs.lsblk.hook | 29 +++
> .../initramfs-config/files/postinst.ext | 3 +
> .../files/secure-boot-debian-local-patch | 79 ++++++
> .../initramfs-abrootfs-secureboot_0.1.bb | 38 +++
> ...enerate-sb-db-from-existing-certificate.sh | 16 ++
> scripts/generate_secure_boot_keys.sh | 51 ++++
> .../wic/plugins/source/efibootguard-boot.py | 87 ++++++-
> .../wic/plugins/source/efibootguard-efi.py | 40 ++-
> scripts/start-efishell.sh | 12 +
> start-qemu.sh | 59 +++--
> wic/ebg-signed-bootloader.inc | 2 +
> wic/qemu-amd64-efibootguard-secureboot.wks | 9 +
> wic/qemu-amd64-efibootguard.wks | 1 -
> 39 files changed, 1330 insertions(+), 129 deletions(-)
> create mode 100644 classes/image_uuid.bbclass
> create mode 100644 conf/distro/debian-buster-backports.list
> create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf
> create mode 100644 doc/README.secureboot.md
> create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
> create mode 100644 kas/opt/ebg-secure-boot-base.yml
> create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml
> create mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl
> create mode 100644 recipes-core/images/secureboot.inc
> create mode 100644 recipes-core/images/swupdate.inc
> create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
> create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
> create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
> create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
> create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
> create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
> create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
> create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl
> create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
> create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
> create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
> create mode 100644 recipes-support/initramfs-config/files/postinst.ext
> create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
> create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
> create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
> create mode 100755 scripts/generate_secure_boot_keys.sh
> create mode 100755 scripts/start-efishell.sh
> create mode 100644 wic/ebg-signed-bootloader.inc
> create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
>
I've taken this to next, but this also needs a hook-up with the CI system.
Thanks,
Jan
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5225): https://lists.cip-project.org/g/cip-dev/message/5225
Mute This Topic: https://lists.cip-project.org/mt/76326081/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
prev parent reply other threads:[~2020-08-21 15:18 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-21 9:55 [cip-dev][isar-cip-core][PATCH v4 0/6] secureboot with efibootguard Quirin Gylstorff
2020-08-21 9:55 ` [cip-dev][isar-cip-core][PATCH v4 1/6] linux-cip: Update revision of kernel config Quirin Gylstorff
2020-08-21 9:55 ` [cip-dev][isar-cip-core][PATCH v4 2/6] isar-patch: Add initramfs-config patch Quirin Gylstorff
2020-08-21 14:48 ` Jan Kiszka
2020-08-21 9:55 ` [cip-dev][isar-cip-core][PATCH v4 3/6] secure-boot: select boot partition in initramfs Quirin Gylstorff
2020-08-21 14:45 ` Jan Kiszka
2020-08-24 8:10 ` Quirin Gylstorff
2020-08-21 9:55 ` [cip-dev][isar-cip-core][PATCH v4 4/6] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
2020-08-21 9:55 ` [cip-dev][isar-cip-core][PATCH v4 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
2020-08-21 9:55 ` [cip-dev][isar-cip-core][PATCH v4 6/6] doc: Add README for secureboot Quirin Gylstorff
2020-08-21 15:18 ` Jan Kiszka [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5636e8fc-839d-de07-1c17-30fce9efd905@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=Quirin.Gylstorff@siemens.com \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).