From: "Quirin Gylstorff" <quirin.gylstorff@siemens.com>
To: dinesh.kumar@toshiba-tsip.com, jan.kiszka@siemens.com,
cip-dev@lists.cip-project.org
Cc: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Subject: [cip-dev][isar-cip-core][PATCH v2] README.secureboot: Corrections
Date: Fri, 30 Apr 2021 15:15:19 +0200 [thread overview]
Message-ID: <20210430131519.23750-1-Quirin.Gylstorff@siemens.com> (raw)
In-Reply-To: <20210430121957.13306-1-Quirin.Gylstorff@siemens.com>
[-- Attachment #1: Type: text/plain, Size: 2540 bytes --]
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys
Add build command for user generated keys
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Changes in V2:
- remove unnecessary new-lines
doc/README.secureboot.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..0996edc 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+```
-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU
### Build image
Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```
-For user-generated keys, create a new option file. This option file could look like this:
+For user-generated keys, create a new option file in the repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml
local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```
-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates. The user-generated certificates
+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+```
### Start the image
--
2.20.1
[-- Attachment #2: Type: text/plain, Size: 428 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6407): https://lists.cip-project.org/g/cip-dev/message/6407
Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2021-04-30 13:19 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-30 12:19 [cip-dev][isar-cip-core][PATCH] README.secureboot: Corrections Quirin Gylstorff
2021-04-30 12:28 ` Jan Kiszka
2021-04-30 13:15 ` Quirin Gylstorff [this message]
2021-04-30 14:06 ` [cip-dev] [isar-cip-core][PATCH v2] " Dinesh Kumar
2021-05-05 16:47 ` Jan Kiszka
2021-05-05 18:47 ` Quirin Gylstorff
2021-05-06 4:46 ` Dinesh Kumar
2021-05-06 4:39 ` Dinesh Kumar
2021-04-30 14:51 ` [cip-dev][isar-cip-core][PATCH " Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210430131519.23750-1-Quirin.Gylstorff@siemens.com \
--to=quirin.gylstorff@siemens.com \
--cc=cip-dev@lists.cip-project.org \
--cc=dinesh.kumar@toshiba-tsip.com \
--cc=jan.kiszka@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.