From: "Quirin Gylstorff" <quirin.gylstorff@siemens.com>
To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Subject: [cip-dev][isar-cip-core][PATCH v4 0/6] secureboot with efibootguard
Date: Fri, 21 Aug 2020 11:55:53 +0200 [thread overview]
Message-ID: <20200821095559.28467-1-Quirin.Gylstorff@siemens.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 6446 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This patchset adds secureboot with efibootguard to cip-core.
The image build signs the efibootguard bootloader (bootx64.efi) and generates
a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
A unified kernel image packs the kernel, initramfs and the kernel command-line
in one binary object. As the kernel command-line is immutable after the build
process, the previous selection of the root file system with a command-line parameter is no longer
possible. Therefore the selection of the root file-system occurs now in the initramfs.
The image uses an A/B partition layout to update the root file system. The sample implementation to
select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs.
During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs.
If a match is found the rootfs is used for the boot.
Changes V2:
- rebase to [1]
- removed luahandler patch as it now part of [1]
- add handling for sw-description
Changes V3:
- rewrite the image id creation to ensure a new uuid is generated if a new package is
added or another change of the rootfs
- add readme section how to execute/test the software update mechnism
- adapt to version v3 of [1]
- update the patch
- add wks file for efibootguard and swupdate
[1]: a/b rootfsupdate with software update
Changes V4:
- rebase onto next 619edb509bd287277749580cbc842e57d5044756
- fix indent of ./start-qemu.sh
- whitespace fixes
- update libubootenv patch to v2
- update revision of cip-kernel-config to ca24d965adf77730caf1cd32bdfcffd69e369502
to boot secureboot with qemu
- swupdate swdescription for non-secure-boot images
Quirin Gylstorff (6):
linux-cip: Update revision of kernel config
isar-patch: Add initramfs-config patch
secure-boot: select boot partition in initramfs
secure-boot: Add secure boot with unified kernel image
secure-boot: Add Debian snakeoil keys for ease-of-use
doc: Add README for secureboot
classes/image_uuid.bbclass | 33 +++
conf/distro/debian-buster-backports.list | 1 +
conf/distro/preferences.ovmf-snakeoil.conf | 3 +
doc/README.secureboot.md | 229 ++++++++++++++++++
.../0001-u-boot-add-libubootenv.patch | 161 ++++++------
...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++
kas-cip.yml | 3 +
kas/opt/ebg-secure-boot-base.yml | 18 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 28 +++
kas/opt/ebg-swu.yml | 4 +-
recipes-core/images/cip-core-image.bb | 12 +-
.../files/secure-boot/sw-description.tmpl | 29 +++
recipes-core/images/files/sw-description.tmpl | 19 +-
recipes-core/images/secureboot.inc | 21 ++
recipes-core/images/swupdate.inc | 21 ++
.../ebg-secure-boot-secrets_0.1.bb | 51 ++++
.../ebg-secure-boot-secrets/files/README.md | 1 +
.../files/control.tmpl | 12 +
.../files/sign_secure_image.sh.tmpl | 22 ++
.../ebg-secure-boot-snakeoil_0.1.bb | 34 +++
.../files/control.tmpl | 12 +
.../files/sign_secure_image.sh | 36 +++
.../ovmf-binaries/files/control.tmpl | 11 +
.../ovmf-binaries/ovmf-binaries_0.1.bb | 30 +++
recipes-kernel/linux/linux-cip-common.inc | 2 +-
.../files/initramfs.image_uuid.hook | 33 +++
.../files/initramfs.lsblk.hook | 29 +++
.../initramfs-config/files/postinst.ext | 3 +
.../files/secure-boot-debian-local-patch | 79 ++++++
.../initramfs-abrootfs-secureboot_0.1.bb | 38 +++
...enerate-sb-db-from-existing-certificate.sh | 16 ++
scripts/generate_secure_boot_keys.sh | 51 ++++
.../wic/plugins/source/efibootguard-boot.py | 87 ++++++-
.../wic/plugins/source/efibootguard-efi.py | 40 ++-
scripts/start-efishell.sh | 12 +
start-qemu.sh | 59 +++--
wic/ebg-signed-bootloader.inc | 2 +
wic/qemu-amd64-efibootguard-secureboot.wks | 9 +
wic/qemu-amd64-efibootguard.wks | 1 -
39 files changed, 1330 insertions(+), 129 deletions(-)
create mode 100644 classes/image_uuid.bbclass
create mode 100644 conf/distro/debian-buster-backports.list
create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf
create mode 100644 doc/README.secureboot.md
create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
create mode 100644 kas/opt/ebg-secure-boot-base.yml
create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml
create mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl
create mode 100644 recipes-core/images/secureboot.inc
create mode 100644 recipes-core/images/swupdate.inc
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl
create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
create mode 100644 recipes-support/initramfs-config/files/postinst.ext
create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
create mode 100755 scripts/generate_secure_boot_keys.sh
create mode 100755 scripts/start-efishell.sh
create mode 100644 wic/ebg-signed-bootloader.inc
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 419 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5169): https://lists.cip-project.org/g/cip-dev/message/5169
Mute This Topic: https://lists.cip-project.org/mt/76326081/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
next reply other threads:[~2020-08-21 9:56 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-21 9:55 Quirin Gylstorff [this message]
2020-08-21 9:55 ` [cip-dev][isar-cip-core][PATCH v4 1/6] linux-cip: Update revision of kernel config Quirin Gylstorff
2020-08-21 9:55 ` [cip-dev][isar-cip-core][PATCH v4 2/6] isar-patch: Add initramfs-config patch Quirin Gylstorff
2020-08-21 14:48 ` Jan Kiszka
2020-08-21 9:55 ` [cip-dev][isar-cip-core][PATCH v4 3/6] secure-boot: select boot partition in initramfs Quirin Gylstorff
2020-08-21 14:45 ` Jan Kiszka
2020-08-24 8:10 ` Quirin Gylstorff
2020-08-21 9:55 ` [cip-dev][isar-cip-core][PATCH v4 4/6] secure-boot: Add secure boot with unified kernel image Quirin Gylstorff
2020-08-21 9:55 ` [cip-dev][isar-cip-core][PATCH v4 5/6] secure-boot: Add Debian snakeoil keys for ease-of-use Quirin Gylstorff
2020-08-21 9:55 ` [cip-dev][isar-cip-core][PATCH v4 6/6] doc: Add README for secureboot Quirin Gylstorff
2020-08-21 15:18 ` [cip-dev][isar-cip-core][PATCH v4 0/6] secureboot with efibootguard Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200821095559.28467-1-Quirin.Gylstorff@siemens.com \
--to=quirin.gylstorff@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=jan.kiszka@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.