All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Quirin Gylstorff" <quirin.gylstorff@siemens.com>
To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Subject: [cip-dev][isar-cip-core][PATCH v4 0/6] secureboot with efibootguard
Date: Fri, 21 Aug 2020 11:55:53 +0200	[thread overview]
Message-ID: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 6446 bytes --]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This patchset adds secureboot with efibootguard to cip-core.

The image build signs the efibootguard bootloader (bootx64.efi) and generates
a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
A unified kernel image packs the kernel, initramfs and the kernel command-line
in one binary object. As the kernel command-line is immutable after the build
process, the previous selection of the root file system with a command-line parameter is no longer
possible. Therefore the selection of the root file-system occurs now in the initramfs.

The image uses an A/B partition layout to update the root file system. The sample implementation to
select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs.
During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs.
If a match is found the rootfs is used for the boot.

Changes V2:

 - rebase to [1]
 - removed luahandler patch as it now part of [1]
 - add handling for sw-description

Changes V3:

 - rewrite the image id creation to ensure a new uuid is generated if a new package is
  added or another change of the rootfs
 - add readme section how to execute/test the software update mechnism
 - adapt to version v3 of [1]
 - update the patch
 - add wks file for efibootguard and swupdate

[1]: a/b rootfsupdate with software update

Changes V4:

 - rebase onto next 619edb509bd287277749580cbc842e57d5044756
 - fix indent of ./start-qemu.sh
 - whitespace fixes
 - update libubootenv patch to v2
 - update revision of cip-kernel-config to ca24d965adf77730caf1cd32bdfcffd69e369502
   to boot secureboot with qemu
 - swupdate swdescription for non-secure-boot images

Quirin Gylstorff (6):
  linux-cip: Update revision of kernel config
  isar-patch: Add initramfs-config patch
  secure-boot: select boot partition in initramfs
  secure-boot: Add secure boot with unified kernel image
  secure-boot: Add Debian snakeoil keys for ease-of-use
  doc: Add README for secureboot

 classes/image_uuid.bbclass                    |  33 +++
 conf/distro/debian-buster-backports.list      |   1 +
 conf/distro/preferences.ovmf-snakeoil.conf    |   3 +
 doc/README.secureboot.md                      | 229 ++++++++++++++++++
 .../0001-u-boot-add-libubootenv.patch         | 161 ++++++------
 ...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++
 kas-cip.yml                                   |   3 +
 kas/opt/ebg-secure-boot-base.yml              |  18 ++
 kas/opt/ebg-secure-boot-snakeoil.yml          |  28 +++
 kas/opt/ebg-swu.yml                           |   4 +-
 recipes-core/images/cip-core-image.bb         |  12 +-
 .../files/secure-boot/sw-description.tmpl     |  29 +++
 recipes-core/images/files/sw-description.tmpl |  19 +-
 recipes-core/images/secureboot.inc            |  21 ++
 recipes-core/images/swupdate.inc              |  21 ++
 .../ebg-secure-boot-secrets_0.1.bb            |  51 ++++
 .../ebg-secure-boot-secrets/files/README.md   |   1 +
 .../files/control.tmpl                        |  12 +
 .../files/sign_secure_image.sh.tmpl           |  22 ++
 .../ebg-secure-boot-snakeoil_0.1.bb           |  34 +++
 .../files/control.tmpl                        |  12 +
 .../files/sign_secure_image.sh                |  36 +++
 .../ovmf-binaries/files/control.tmpl          |  11 +
 .../ovmf-binaries/ovmf-binaries_0.1.bb        |  30 +++
 recipes-kernel/linux/linux-cip-common.inc     |   2 +-
 .../files/initramfs.image_uuid.hook           |  33 +++
 .../files/initramfs.lsblk.hook                |  29 +++
 .../initramfs-config/files/postinst.ext       |   3 +
 .../files/secure-boot-debian-local-patch      |  79 ++++++
 .../initramfs-abrootfs-secureboot_0.1.bb      |  38 +++
 ...enerate-sb-db-from-existing-certificate.sh |  16 ++
 scripts/generate_secure_boot_keys.sh          |  51 ++++
 .../wic/plugins/source/efibootguard-boot.py   |  87 ++++++-
 .../wic/plugins/source/efibootguard-efi.py    |  40 ++-
 scripts/start-efishell.sh                     |  12 +
 start-qemu.sh                                 |  59 +++--
 wic/ebg-signed-bootloader.inc                 |   2 +
 wic/qemu-amd64-efibootguard-secureboot.wks    |   9 +
 wic/qemu-amd64-efibootguard.wks               |   1 -
 39 files changed, 1330 insertions(+), 129 deletions(-)
 create mode 100644 classes/image_uuid.bbclass
 create mode 100644 conf/distro/debian-buster-backports.list
 create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf
 create mode 100644 doc/README.secureboot.md
 create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
 create mode 100644 kas/opt/ebg-secure-boot-base.yml
 create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml
 create mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl
 create mode 100644 recipes-core/images/secureboot.inc
 create mode 100644 recipes-core/images/swupdate.inc
 create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
 create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
 create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
 create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
 create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
 create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
 create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
 create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl
 create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
 create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
 create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
 create mode 100644 recipes-support/initramfs-config/files/postinst.ext
 create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
 create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
 create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
 create mode 100755 scripts/generate_secure_boot_keys.sh
 create mode 100755 scripts/start-efishell.sh
 create mode 100644 wic/ebg-signed-bootloader.inc
 create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks

-- 
2.20.1


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5169): https://lists.cip-project.org/g/cip-dev/message/5169
Mute This Topic: https://lists.cip-project.org/mt/76326081/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

             reply	other threads:[~2020-08-21  9:56 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-21  9:55 Quirin Gylstorff [this message]
2020-08-21  9:55 ` [cip-dev][isar-cip-core][PATCH v4 1/6] linux-cip: Update revision of kernel config Quirin Gylstorff
2020-08-21  9:55 ` [cip-dev][isar-cip-core][PATCH v4 2/6] isar-patch: Add initramfs-config patch Quirin Gylstorff
2020-08-21 14:48   ` Jan Kiszka
2020-08-21  9:55 ` [cip-dev][isar-cip-core][PATCH v4 3/6] secure-boot: select boot partition in initramfs Quirin Gylstorff
2020-08-21 14:45   ` Jan Kiszka
2020-08-24  8:10     ` Quirin Gylstorff
2020-08-21  9:55 ` [cip-dev][isar-cip-core][PATCH v4 4/6] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
2020-08-21  9:55 ` [cip-dev][isar-cip-core][PATCH v4 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
2020-08-21  9:55 ` [cip-dev][isar-cip-core][PATCH v4 6/6] doc: Add README for secureboot Quirin Gylstorff
2020-08-21 15:18 ` [cip-dev][isar-cip-core][PATCH v4 0/6] secureboot with efibootguard Jan Kiszka

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200821095559.28467-1-Quirin.Gylstorff@siemens.com \
    --to=quirin.gylstorff@siemens.com \
    --cc=cip-dev@lists.cip-project.org \
    --cc=jan.kiszka@siemens.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.