From: Jan Kiszka <jan.kiszka@siemens.com>
To: cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>,
Christian Storm <christian.storm@siemens.com>
Subject: [isar-cip-core][PATCH 00/12] Fixes and improvements for SWUpdate images, kernel/config update
Date: Wed, 4 May 2022 21:45:48 +0200 [thread overview]
Message-ID: <cover.1651693560.git.jan.kiszka@siemens.com> (raw)
Various update and enhancement I try to summarize here:
- qemu-arm64 enabling for SWUpdate/secure boot using the UEFI pattern
- update to EFI Boot Guard 0.11
- switch to unified kernel images built by EFI Boot Guard
- fix for verity setups with CONFIG_DM_VERITY=m
- improve error handling when mounting /etc overlay
- update to latest CIP kernels and cip-kernel-config
Jan
Jan Kiszka (12):
initramfs-etc-overlay-hook: Improve error reporting of script
initramfs-etc-overlay-hook: Install overlay module
initramfs-abrootfs-hook: Remove obsolete patch
Rework secure boot key handling and signing recipes
linux-cip: Update cip-kernel-config for QEMU and ipc227e
linux-cip: Update to 4.19.239-cip72 and 5.10.112-cip6
efibootguard: Update to 0.11 release
efibootguard: Use new unified kernel image generation
efibootguard: Add support for embedding DTBs into unified kernel
images
u-boot-qemu-arm64: Add recipe for customized version based on 2022.04
Enable SWUpdate with and w/o secure boot for QEMU arm64
start-qemu.sh: Add support for SWUpdate and secure boot mode to arm64
Kconfig | 6 +-
conf/machine/qemu-arm64.conf | 3 +
doc/README.secureboot.md | 22 ++--
kas/opt/ebg-secure-boot-snakeoil.yml | 10 +-
kas/opt/efibootguard.yml | 6 +-
...bootguard_0.10.bb => efibootguard_0.11.bb} | 4 +-
...efile-Drop-nostdinc-for-EFI-binaries.patch | 28 +++++
.../0001-configure-Fix-aarch64-EFI-arch.patch | 28 -----
.../efibootguard/files/debian/control.tmpl | 2 +-
.../files/debian/efibootguard.install | 3 +-
...-rtc_mktime-and-mktime64-Y2038-ready.patch | 107 ++++++++++++++++++
recipes-bsp/u-boot/files/rules | 40 +++++++
recipes-bsp/u-boot/files/secure-boot.cfg | 6 +
.../u-boot/u-boot-qemu-arm64_2022.04.bb | 50 ++++++++
.../ebg-secure-boot-secrets_0.1.bb | 51 ---------
.../ebg-secure-boot-secrets/files/README.md | 1 -
.../files/control.tmpl | 12 --
.../files/sign_secure_image.sh.tmpl | 22 ----
.../ebg-secure-boot-signer_0.1.bb | 26 +++++
.../files/sign_secure_image.sh | 33 ++++++
.../ebg-secure-boot-snakeoil_0.1.bb | 34 ------
.../files/control.tmpl | 12 --
.../files/sign_secure_image.sh | 36 ------
.../files/PkKek-1-snakeoil.key | 27 +++++
.../files/PkKek-1-snakeoil.pem | 21 ++++
.../secure-boot-key_0.1.bb | 14 +++
.../secure-boot-secrets.inc | 34 ++++++
.../secure-boot-snakeoil_0.1.bb | 17 +++
.../files/debian-local-patch | 103 -----------------
.../files/etc-overlay.hook | 25 ++++
.../files/etc-overlay.script | 4 +-
.../initramfs-etc-overlay-hook_0.1.bb | 3 +
recipes-kernel/linux/linux-cip-common.inc | 2 +-
...5-cip70.bb => linux-cip_4.19.239-cip72.bb} | 2 +-
...106-cip4.bb => linux-cip_5.10.112-cip6.bb} | 2 +-
.../wic/plugins/source/efibootguard-boot.py | 42 ++++---
start-qemu.sh | 67 +++++++----
wic/qemu-arm64-efibootguard-secureboot.wks.in | 15 +++
wic/qemu-arm64-efibootguard.wks.in | 13 +++
39 files changed, 558 insertions(+), 375 deletions(-)
rename recipes-bsp/efibootguard/{efibootguard_0.10.bb => efibootguard_0.11.bb} (90%)
create mode 100644 recipes-bsp/efibootguard/files/0001-Makefile-Drop-nostdinc-for-EFI-binaries.patch
delete mode 100644 recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch
create mode 100644 recipes-bsp/u-boot/files/0001-lib-date-Make-rtc_mktime-and-mktime64-Y2038-ready.patch
create mode 100755 recipes-bsp/u-boot/files/rules
create mode 100644 recipes-bsp/u-boot/files/secure-boot.cfg
create mode 100644 recipes-bsp/u-boot/u-boot-qemu-arm64_2022.04.bb
delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
delete mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-signer/files/sign_secure_image.sh
delete mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
delete mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
delete mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
create mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.key
create mode 100644 recipes-devtools/secure-boot-secrets/files/PkKek-1-snakeoil.pem
create mode 100644 recipes-devtools/secure-boot-secrets/secure-boot-key_0.1.bb
create mode 100644 recipes-devtools/secure-boot-secrets/secure-boot-secrets.inc
create mode 100644 recipes-devtools/secure-boot-secrets/secure-boot-snakeoil_0.1.bb
delete mode 100644 recipes-initramfs/initramfs-abrootfs-hook/files/debian-local-patch
create mode 100644 recipes-initramfs/initramfs-etc-overlay-hook/files/etc-overlay.hook
rename recipes-kernel/linux/{linux-cip_4.19.235-cip70.bb => linux-cip_4.19.239-cip72.bb} (72%)
rename recipes-kernel/linux/{linux-cip_5.10.106-cip4.bb => linux-cip_5.10.112-cip6.bb} (72%)
create mode 100644 wic/qemu-arm64-efibootguard-secureboot.wks.in
create mode 100644 wic/qemu-arm64-efibootguard.wks.in
--
2.34.1
next reply other threads:[~2022-05-04 19:46 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-04 19:45 Jan Kiszka [this message]
2022-05-04 19:45 ` [isar-cip-core][PATCH 01/12] initramfs-etc-overlay-hook: Improve error reporting of script Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 02/12] initramfs-etc-overlay-hook: Install overlay module Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 03/12] initramfs-abrootfs-hook: Remove obsolete patch Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 04/12] Rework secure boot key handling and signing recipes Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 05/12] linux-cip: Update cip-kernel-config for QEMU and ipc227e Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 06/12] linux-cip: Update to 4.19.239-cip72 and 5.10.112-cip6 Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 07/12] efibootguard: Update to 0.11 release Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 08/12] efibootguard: Use new unified kernel image generation Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 09/12] efibootguard: Add support for embedding DTBs into unified kernel images Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 10/12] u-boot-qemu-arm64: Add recipe for customized version based on 2022.04 Jan Kiszka
2022-05-04 19:45 ` [isar-cip-core][PATCH 11/12] Enable SWUpdate with and w/o secure boot for QEMU arm64 Jan Kiszka
2022-05-04 19:46 ` [isar-cip-core][PATCH 12/12] start-qemu.sh: Add support for SWUpdate and secure boot mode to arm64 Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1651693560.git.jan.kiszka@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=christian.storm@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=quirin.gylstorff@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.