| Message ID | 20240705071129.1374609-3-Shivanand.Kunijadar@toshiba-tsip.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Update README files | expand |
On 05.07.24 09:11, Shivanand Kunijadar wrote: > From: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com> > > Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com> > --- > doc/boards/README.m-com-x86.md | 112 +++++++++++++++++++++++++++++++++ > 1 file changed, 112 insertions(+) > create mode 100644 doc/boards/README.m-com-x86.md > > diff --git a/doc/boards/README.m-com-x86.md b/doc/boards/README.m-com-x86.md > new file mode 100644 > index 0000000..a72dd09 > --- /dev/null > +++ b/doc/boards/README.m-com-x86.md > @@ -0,0 +1,112 @@ > +# ISAR CIP Core: Instructions for M-COM RT X86 V1 > + > +## Build the CIP Core image > + > +Set up `kas-container` as described in the [top-level README](../../README.md). > +Then build the image: > + > +``` > +$ ./kas-container build kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/6.1.yml:kas/opt/bookworm.yml > +``` > + > +After the build is finished, insert a USB stick and flash the image. > + > + > +**Note:** please make sure to diable watchdog by setting timeout as "0" for SWUpdate and Secure Boot images. disable But this section is redundant to the description below. > + > +## Software Update and verification > + > +Build the Software update enabled image, > +``` > +host$ ./kas-container menu > +``` > +Select below things, > + > +* Generic x86 machine booting via UEFI > +* Kernel 6.1.x-cip > +* Bookworm (12) > +* Security extensions > +* Set EFI Boot Guard watchdog timeout in seconds to "0" > +* Click on Build to build the image > + > +Copy the .swu file generated from the above build to temporary folder, which will be used for swupdate. > + > +Create second image(RT Kernel image) by selecting all the options mentioned above and additionally select RT Kernel option. > + > +Flash the image with RT Kernel to USB and boot the image from USB. Copy the .swu file from the temporary folder to M-COM device. > + > +For verification, please follow the [SWUpdate verification steps](../README.swupdate.md#swupdate-verification) > + > +## Secure Boot Configuration and Verification > + > +**Note:** > +* All the steps are specific to M-COM RT X86 V1 device hence consult device specific manual for other devices for Secure Boot verification. > + > +Copy KeyTool.efi and UEFI keys into USB stick as mentioned in [Secure boot key enrollment](../README.secureboot.md#secure-boot-key-enrollment) > + > +Insert USB memory stick to M-COM device. > + > +Power on and Press F12 key to Enter BIOS setup. > + > +**Note:** > +* if you want to restore the default BIOS settings then > +Under "Save & Exit" tab, Click on "Restore User Defaults" and select "Yes" to restore default values. > + > +Enable Secure Boot and enter to Setup Mode by following below steps > + > +**Note:** > +* Due to following step, old keys will be deleted hence it’s recommended to take backup of old keys to avoid any data loss. > + > +Under Security tab, > +* Enable Secure Boot if disabled. The System Mode will be "User" by default. > +* Click on "Reset To Setup Mode" to remove existing keys. > + Select "Yes" to delete all Secure Boot keys database > +* The System Mode should change to "Setup" once we delete all Secure Boot keys. > + > +Under Save & Exit tab, > +* Go to "Boot Override" and click on "UEFI: Built-in EFI shell" which will launch the EFI shell. > +* In the EFI shell, run KeyTool.efi from the USB stick and add all Secure Boot keys from USB. Follow the step-4 from the section [Add Keys to OVMF](../README.secureboot.md#add-keys-to-ovmf) to inject the Secure Boot keys. > + > +Exit from the KeyTool.efi and built-in EFI shell to BIOS. > + > +Optionally you can confirm the injected keys like below: > + > +Under security tab, > +* Click on "Secure Boot" and then "Key Management" to confirm the injected Secure Boot keys (DB, KEK and PK). > + > +Under Save & Exit" tab > +* Click on "Save Changes & Exit". > + > +Now the keys are injected, remove the USB stick. > + > +Build the Secure Boot enable image, > +``` > +host$ ./kas-container menu > +``` > +Select below things, > +* Generic x86 machine booting via UEFI > +* Kernel 6.1.x-cip > +* Bookworm (12) > +* Security extensions --> select Secure boot support > +* Set EFI Boot Guard watchdog timeout in seconds to "0" > +* Click on Build to build the image > + This described the build for the third time, no? > +Once build is completed, flash the Secure Boot image to USB stick and insert the USB memory stick to M-COM device. > + > +Power on and Press F12 key to Enter BIOS setup. > + > +In the BIOS, Configure the device to boot from USB by following below steps > + > +Under "Boot" tab, > + > +* Select "Boot Option #1" as USB device from the "Boot Option Priorities" section. > + > +Under "Save & Exit" tab, > + > +* Click on "Save Changes & Exit". The M-COM board starts to boot the image from USB. > + > +After boot, check the dmesg for Secure Boot status like below: > +``` > +root@demo:~# dmesg | grep Secure > +[ 0.008368] Secure boot enabled > +``` Jan
Hi Jan, Thanks for the comments. Yes, in the current README the build steps are redundant, I will consolidate build steps in one place and will refer it in all sections. I will send the v3 patch for the above change. I would have mentioned the build commands directly for SWUpdate and Secure boot like below but I can't disable the watchdog without Kconfig menu. It is possible only by locally updating the recipe but that is not the correct way, so I used Kconfig menu for build steps. SWUpdate: ./kas-container build kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/6.1.yml:kas/opt/bookworm.yml:kas/opt/ebg-swu.yml Secure boot: ./kas-container build kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/6.1.yml:kas/opt/bookworm.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml Thanks & Regards Shivanand K -----Original Message----- From: Jan Kiszka <jan.kiszka@siemens.com> Sent: Friday, July 5, 2024 4:46 PM To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp> Subject: Re: [isar-cip-core v2 2/2] README.m-com-x86.md: Add M-COM board specific details On 05.07.24 09:11, Shivanand Kunijadar wrote: > From: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com> > > Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com> > --- > doc/boards/README.m-com-x86.md | 112 > +++++++++++++++++++++++++++++++++ > 1 file changed, 112 insertions(+) > create mode 100644 doc/boards/README.m-com-x86.md > > diff --git a/doc/boards/README.m-com-x86.md > b/doc/boards/README.m-com-x86.md new file mode 100644 index > 0000000..a72dd09 > --- /dev/null > +++ b/doc/boards/README.m-com-x86.md > @@ -0,0 +1,112 @@ > +# ISAR CIP Core: Instructions for M-COM RT X86 V1 > + > +## Build the CIP Core image > + > +Set up `kas-container` as described in the [top-level README](../../README.md). > +Then build the image: > + > +``` > +$ ./kas-container build > +kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/6.1.yml:kas/opt/bookworm.y > +ml > +``` > + > +After the build is finished, insert a USB stick and flash the image. > + > + > +**Note:** please make sure to diable watchdog by setting timeout as "0" for SWUpdate and Secure Boot images. disable But this section is redundant to the description below. > + > +## Software Update and verification > + > +Build the Software update enabled image, ``` host$ ./kas-container > +menu ``` Select below things, > + > +* Generic x86 machine booting via UEFI > +* Kernel 6.1.x-cip > +* Bookworm (12) > +* Security extensions > +* Set EFI Boot Guard watchdog timeout in seconds to "0" > +* Click on Build to build the image > + > +Copy the .swu file generated from the above build to temporary folder, which will be used for swupdate. > + > +Create second image(RT Kernel image) by selecting all the options mentioned above and additionally select RT Kernel option. > + > +Flash the image with RT Kernel to USB and boot the image from USB. Copy the .swu file from the temporary folder to M-COM device. > + > +For verification, please follow the [SWUpdate verification > +steps](../README.swupdate.md#swupdate-verification) > + > +## Secure Boot Configuration and Verification > + > +**Note:** > +* All the steps are specific to M-COM RT X86 V1 device hence consult device specific manual for other devices for Secure Boot verification. > + > +Copy KeyTool.efi and UEFI keys into USB stick as mentioned in [Secure > +boot key > +enrollment](../README.secureboot.md#secure-boot-key-enrollment) > + > +Insert USB memory stick to M-COM device. > + > +Power on and Press F12 key to Enter BIOS setup. > + > +**Note:** > +* if you want to restore the default BIOS settings then Under "Save & > +Exit" tab, Click on "Restore User Defaults" and select "Yes" to restore default values. > + > +Enable Secure Boot and enter to Setup Mode by following below steps > + > +**Note:** > +* Due to following step, old keys will be deleted hence it’s recommended to take backup of old keys to avoid any data loss. > + > +Under Security tab, > +* Enable Secure Boot if disabled. The System Mode will be "User" by default. > +* Click on "Reset To Setup Mode" to remove existing keys. > + Select "Yes" to delete all Secure Boot keys database > +* The System Mode should change to "Setup" once we delete all Secure Boot keys. > + > +Under Save & Exit tab, > +* Go to "Boot Override" and click on "UEFI: Built-in EFI shell" which will launch the EFI shell. > +* In the EFI shell, run KeyTool.efi from the USB stick and add all Secure Boot keys from USB. Follow the step-4 from the section [Add Keys to OVMF](../README.secureboot.md#add-keys-to-ovmf) to inject the Secure Boot keys. > + > +Exit from the KeyTool.efi and built-in EFI shell to BIOS. > + > +Optionally you can confirm the injected keys like below: > + > +Under security tab, > +* Click on "Secure Boot" and then "Key Management" to confirm the injected Secure Boot keys (DB, KEK and PK). > + > +Under Save & Exit" tab > +* Click on "Save Changes & Exit". > + > +Now the keys are injected, remove the USB stick. > + > +Build the Secure Boot enable image, > +``` > +host$ ./kas-container menu > +``` > +Select below things, > +* Generic x86 machine booting via UEFI > +* Kernel 6.1.x-cip > +* Bookworm (12) > +* Security extensions --> select Secure boot support > +* Set EFI Boot Guard watchdog timeout in seconds to "0" > +* Click on Build to build the image > + This described the build for the third time, no? > +Once build is completed, flash the Secure Boot image to USB stick and insert the USB memory stick to M-COM device. > + > +Power on and Press F12 key to Enter BIOS setup. > + > +In the BIOS, Configure the device to boot from USB by following below > +steps > + > +Under "Boot" tab, > + > +* Select "Boot Option #1" as USB device from the "Boot Option Priorities" section. > + > +Under "Save & Exit" tab, > + > +* Click on "Save Changes & Exit". The M-COM board starts to boot the image from USB. > + > +After boot, check the dmesg for Secure Boot status like below: > +``` > +root@demo:~# dmesg | grep Secure > +[ 0.008368] Secure boot enabled > +``` Jan -- Siemens AG, Technology Linux Expert Center
diff --git a/doc/boards/README.m-com-x86.md b/doc/boards/README.m-com-x86.md new file mode 100644 index 0000000..a72dd09 --- /dev/null +++ b/doc/boards/README.m-com-x86.md @@ -0,0 +1,112 @@ +# ISAR CIP Core: Instructions for M-COM RT X86 V1 + +## Build the CIP Core image + +Set up `kas-container` as described in the [top-level README](../../README.md). +Then build the image: + +``` +$ ./kas-container build kas-cip.yml:kas/board/x86-uefi.yml:kas/opt/6.1.yml:kas/opt/bookworm.yml +``` + +After the build is finished, insert a USB stick and flash the image. + + +**Note:** please make sure to diable watchdog by setting timeout as "0" for SWUpdate and Secure Boot images. + +## Software Update and verification + +Build the Software update enabled image, +``` +host$ ./kas-container menu +``` +Select below things, + +* Generic x86 machine booting via UEFI +* Kernel 6.1.x-cip +* Bookworm (12) +* Security extensions +* Set EFI Boot Guard watchdog timeout in seconds to "0" +* Click on Build to build the image + +Copy the .swu file generated from the above build to temporary folder, which will be used for swupdate. + +Create second image(RT Kernel image) by selecting all the options mentioned above and additionally select RT Kernel option. + +Flash the image with RT Kernel to USB and boot the image from USB. Copy the .swu file from the temporary folder to M-COM device. + +For verification, please follow the [SWUpdate verification steps](../README.swupdate.md#swupdate-verification) + +## Secure Boot Configuration and Verification + +**Note:** +* All the steps are specific to M-COM RT X86 V1 device hence consult device specific manual for other devices for Secure Boot verification. + +Copy KeyTool.efi and UEFI keys into USB stick as mentioned in [Secure boot key enrollment](../README.secureboot.md#secure-boot-key-enrollment) + +Insert USB memory stick to M-COM device. + +Power on and Press F12 key to Enter BIOS setup. + +**Note:** +* if you want to restore the default BIOS settings then +Under "Save & Exit" tab, Click on "Restore User Defaults" and select "Yes" to restore default values. + +Enable Secure Boot and enter to Setup Mode by following below steps + +**Note:** +* Due to following step, old keys will be deleted hence it’s recommended to take backup of old keys to avoid any data loss. + +Under Security tab, +* Enable Secure Boot if disabled. The System Mode will be "User" by default. +* Click on "Reset To Setup Mode" to remove existing keys. + Select "Yes" to delete all Secure Boot keys database +* The System Mode should change to "Setup" once we delete all Secure Boot keys. + +Under Save & Exit tab, +* Go to "Boot Override" and click on "UEFI: Built-in EFI shell" which will launch the EFI shell. +* In the EFI shell, run KeyTool.efi from the USB stick and add all Secure Boot keys from USB. Follow the step-4 from the section [Add Keys to OVMF](../README.secureboot.md#add-keys-to-ovmf) to inject the Secure Boot keys. + +Exit from the KeyTool.efi and built-in EFI shell to BIOS. + +Optionally you can confirm the injected keys like below: + +Under security tab, +* Click on "Secure Boot" and then "Key Management" to confirm the injected Secure Boot keys (DB, KEK and PK). + +Under Save & Exit" tab +* Click on "Save Changes & Exit". + +Now the keys are injected, remove the USB stick. + +Build the Secure Boot enable image, +``` +host$ ./kas-container menu +``` +Select below things, +* Generic x86 machine booting via UEFI +* Kernel 6.1.x-cip +* Bookworm (12) +* Security extensions --> select Secure boot support +* Set EFI Boot Guard watchdog timeout in seconds to "0" +* Click on Build to build the image + +Once build is completed, flash the Secure Boot image to USB stick and insert the USB memory stick to M-COM device. + +Power on and Press F12 key to Enter BIOS setup. + +In the BIOS, Configure the device to boot from USB by following below steps + +Under "Boot" tab, + +* Select "Boot Option #1" as USB device from the "Boot Option Priorities" section. + +Under "Save & Exit" tab, + +* Click on "Save Changes & Exit". The M-COM board starts to boot the image from USB. + +After boot, check the dmesg for Secure Boot status like below: +``` +root@demo:~# dmesg | grep Secure +[ 0.008368] Secure boot enabled +```