From patchwork Mon Oct 10 07:02:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sai.Sathujoda@toshiba-tsip.com X-Patchwork-Id: 13002328 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2CE0C433F5 for ; Mon, 10 Oct 2022 07:02:42 +0000 (UTC) Received: from mo-csw.securemx.jp (mo-csw.securemx.jp [210.130.202.153]) by mx.groups.io with SMTP id smtpd.web11.3501.1665385360654024061 for ; Mon, 10 Oct 2022 00:02:41 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: toshiba-tsip.com, ip: 210.130.202.153, mailfrom: sai.sathujoda@toshiba-tsip.com) Received: by mo-csw.securemx.jp (mx-mo-csw1514) id 29A72cba030985; Mon, 10 Oct 2022 16:02:38 +0900 X-Iguazu-Qid: 34trtLOdcrWwh3fQu2 X-Iguazu-QSIG: v=2; s=0; t=1665385358; q=34trtLOdcrWwh3fQu2; m=oCPC4gh5Dol9cn8hPNG3gXoeIcHcru0SP4r2qYBo5Hs= Received: from imx12-a.toshiba.co.jp ([38.106.60.135]) by relay.securemx.jp (mx-mr1510) id 29A72bDv022705 (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 10 Oct 2022 16:02:38 +0900 From: Sai.Sathujoda@toshiba-tsip.com To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Cc: Sai , dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [isar-cip-core 1/3] start-qemu.sh : Set bullseye as default DISTRO RELEASE Date: Mon, 10 Oct 2022 12:32:30 +0530 X-TSB-HOP2: ON Message-Id: <20221010070232.10478-2-Sai.Sathujoda@toshiba-tsip.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20221010070232.10478-1-Sai.Sathujoda@toshiba-tsip.com> References: <20221010070232.10478-1-Sai.Sathujoda@toshiba-tsip.com> MIME-Version: 1.0 X-OriginalArrivalTime: 10 Oct 2022 07:02:34.0482 (UTC) FILETIME=[45ECAD20:01D8DC76] List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 10 Oct 2022 07:02:42 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9703 From: Sai Signed-off-by: Sai --- start-qemu.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/start-qemu.sh b/start-qemu.sh index bcc7a51..639951e 100755 --- a/start-qemu.sh +++ b/start-qemu.sh @@ -31,10 +31,10 @@ if [ -n "${QEMU_PATH}" ]; then fi if [ -z "${DISTRO_RELEASE}" ]; then - if grep -s -q "DEBIAN_BULLSEYE: true" .config.yaml; then - DISTRO_RELEASE="bullseye" - else + if grep -s -q "DEBIAN_BUSTER: true" .config.yaml; then DISTRO_RELEASE="buster" + else + DISTRO_RELEASE="bullseye" fi fi From patchwork Mon Oct 10 07:02:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Sai.Sathujoda@toshiba-tsip.com X-Patchwork-Id: 13005235 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mo-csw.securemx.jp (mo-csw.securemx.jp [210.130.202.155]) by mx.groups.io with SMTP id smtpd.web10.3621.1665385361262635829 for ; Mon, 10 Oct 2022 00:02:41 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: toshiba-tsip.com, ip: 210.130.202.155, mailfrom: sai.sathujoda@toshiba-tsip.com) Received: by mo-csw.securemx.jp (mx-mo-csw1516) id 29A72diq015771; Mon, 10 Oct 2022 16:02:39 +0900 X-Iguazu-Qid: 34ts01SW9QcoxfKccb X-Iguazu-QSIG: v=2; s=0; t=1665385359; q=34ts01SW9QcoxfKccb; m=PjrQ++2wg9wpyL9kphvAX6QDHzA6Z0C59iUk/CCTAeM= Received: from imx12-a.toshiba.co.jp ([38.106.60.135]) by relay.securemx.jp (mx-mr1513) id 29A72c5V000464 (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 10 Oct 2022 16:02:39 +0900 From: sai.sathujoda@toshiba-tsip.com To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Cc: Sai , dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [isar-cip-core 2/3] README.secureboot.md : Update steps for user-generated keys Date: Mon, 10 Oct 2022 12:32:31 +0530 X-TSB-HOP2: ON Message-Id: <20221010070232.10478-3-Sai.Sathujoda@toshiba-tsip.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20221010070232.10478-1-Sai.Sathujoda@toshiba-tsip.com> References: <20221010070232.10478-1-Sai.Sathujoda@toshiba-tsip.com> MIME-Version: 1.0 X-OriginalArrivalTime: 10 Oct 2022 07:02:34.0669 (UTC) FILETIME=[460935D0:01D8DC76] List-Id: From: Sai Modified readme for the following changes - Updated sample kas file for recent modifications in base yaml files. - Corrected syntaxes of the reference links to sub sections - changed steps for copying the swu file inside qemu image Signed-off-by: Sai --- doc/README.secureboot.md | 55 +++++++++++++++++++++++++++------------- 1 file changed, 38 insertions(+), 17 deletions(-) diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index 319b4db..6b90497 100644 --- a/doc/README.secureboot.md +++ b/doc/README.secureboot.md @@ -76,7 +76,7 @@ Set up a secure boot test environment with [QEMU](https://www.qemu.org/) ### Debian Snakeoil keys The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images//OVMF. -You can use them as described in section [Start Image](### Start the image). +You can use them as described in section [Start Image](#start-the-image). ### Generate Keys @@ -147,16 +147,28 @@ For user-generated keys, create a new option file in the repository. This option header: version: 10 includes: - - kas/opt/ebg-secure-boot-base.yml + - kas/opt/ebg-swu.yml + +local_conf_header: + secure-boot-image: | + IMAGE_CLASSES += "verity" + IMAGE_FSTYPES = "wic" + WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" + INITRAMFS_INSTALL_append = " initramfs-verity-hook" + # abrootfs cannot be installed together with verity + INITRAMFS_INSTALL_remove = " initramfs-abrootfs-hook" local_conf_header: secure-boot: | - IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets" - IMAGER_INSTALL += "ebg-secure-boot-secrets" + IMAGER_BUILD_DEPS += "ebg-secure-boot-signer" + IMAGER_INSTALL += "ebg-secure-boot-signer" + +# Use user-generated keys + PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-key" + user-keys: | - SB_CERTDB = "democertdb" - SB_VERIFY_CERT = "demo.crt" - SB_KEY_NAME = "demo" + SB_CERT = "demo.crt" + SB_KEY = "demo.key" ``` Replace `demo` with the name of the user-generated certificates. The user-generated certificates @@ -200,21 +212,27 @@ OVMF_VARS= \ ./start-qemu.sh amd64 ``` +After boot check the dmesg for secure boot status like below: +``` +root@demo:~# dmesg | grep Secure +[ 0.008368] Secure boot enabled +``` ## Example: Update the image For updating the image, the following steps are necessary: -- [Build the image with snakeoil keys](### Build image) +- [Build the image with snakeoil keys](#build-image) - save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-bullseye-qemu-amd64.swu` to /tmp -- modify the image for example add a new version to the image by adding `PV=2.0.0` to - [cip-core-image.bb](recipes-core/images/cip-core-image.bb) -- start the new target and copy the swu `cip-core-image-cip-core-bullseye-qemu-amd64.swu` - to the running system, e.g.: +- modify the image for example, switch to the RT kernel as modification: +``` +kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-secure-boot-snakeoil.yml:kas/opt/rt.yml +``` +- start the new target ``` -SECURE=y ./start-qemu.sh amd64 -virtfs local,path=/tmp,mount_tag=host0,security_model=passthrough,id=host0 +SECURE_BOOT=y ./start-qemu.sh amd64 ``` -- mount `host0` on target with: +Copy the swu cip-core-image-cip-core-bullseye-qemu-amd64.swu to the running system ``` -mount -t 9p -o trans=virtio,version=9p2000.L host0 /mnt +scp -P 22222 /tmp/cip-core-image-cip-core-bullseye-qemu-amd64.swu root@127.0.0.1:/home/ ``` - check which partition is booted, e.g. with `lsblk`: ``` @@ -228,8 +246,11 @@ sda 8:0 0 2G 0 disk └─sda5 8:5 0 1000M 0 part ``` -- install with `swupdate -i /mnt/cip-core-image-cip-core-bullseye-qemu-amd64.swu` -- reboot +- install the swupdate and reboot the image +``` +root@demo:~# swupdate -i /home/cip-core-image-cip-core-bullseye-qemu-amd64.swu` +root@demo:~# reboot +``` - check which partition is booted, e.g. with `lsblk`. The rootfs should have changed: ``` root@demo:~# lsblk From patchwork Mon Oct 10 07:02:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sai.Sathujoda@toshiba-tsip.com X-Patchwork-Id: 13002330 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7043C433F5 for ; Mon, 10 Oct 2022 07:02:52 +0000 (UTC) Received: from mo-csw.securemx.jp (mo-csw.securemx.jp [210.130.202.156]) by mx.groups.io with SMTP id smtpd.web10.3622.1665385362897430266 for ; Mon, 10 Oct 2022 00:02:43 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: toshiba-tsip.com, ip: 210.130.202.156, mailfrom: sai.sathujoda@toshiba-tsip.com) Received: by mo-csw.securemx.jp (mx-mo-csw1114) id 29A72e8c006208; Mon, 10 Oct 2022 16:02:40 +0900 X-Iguazu-Qid: 2wHHOH6CCgO9mKelGa X-Iguazu-QSIG: v=2; s=0; t=1665385360; q=2wHHOH6CCgO9mKelGa; m=1Z/9aElWlkoQWm4DKhkMulDbnqg++hatf9Q8z2Cn7RU= Received: from imx12-a.toshiba.co.jp ([38.106.60.135]) by relay.securemx.jp (mx-mr1113) id 29A72dNq026528 (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 10 Oct 2022 16:02:40 +0900 From: Sai.Sathujoda@toshiba-tsip.com To: cip-dev@lists.cip-project.org, jan.kiszka@siemens.com Cc: Sai , dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp Subject: [isar-cip-core 3/3] start-efishell.sh : Use default OVMF files with '4M' size Date: Mon, 10 Oct 2022 12:32:32 +0530 X-TSB-HOP2: ON Message-Id: <20221010070232.10478-4-Sai.Sathujoda@toshiba-tsip.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20221010070232.10478-1-Sai.Sathujoda@toshiba-tsip.com> References: <20221010070232.10478-1-Sai.Sathujoda@toshiba-tsip.com> MIME-Version: 1.0 X-OriginalArrivalTime: 10 Oct 2022 07:02:34.0888 (UTC) FILETIME=[462AA080:01D8DC76] List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 10 Oct 2022 07:02:52 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/9705 From: Sai Make changes in the OVMF keys to be in sync with changes made in da0ff6630c7f6e48fc82b3766a04992bee7fcafe Signed-off-by: Sai --- scripts/start-efishell.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/start-efishell.sh b/scripts/start-efishell.sh index 0831f83..980b9cc 100755 --- a/scripts/start-efishell.sh +++ b/scripts/start-efishell.sh @@ -1,6 +1,6 @@ #!/bin/sh -ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE.secboot.fd} -ovmf_vars=${OVMF_VARS:-./OVMF_VARS.fd} +ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE_4M.secboot.fd} +ovmf_vars=${OVMF_VARS:-./OVMF_VARS_4M.fd} DISK=$1 qemu-system-x86_64 -enable-kvm -M q35 -nographic \ -cpu host,hv_relaxed,hv_vapic,hv-spinlocks=0xfff -smp 2 -m 2G -no-hpet \