From patchwork Fri Jun 21 10:12:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13707278 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D24AC2BD09 for ; Fri, 21 Jun 2024 10:52:29 +0000 (UTC) Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net [185.136.64.225]) by mx.groups.io with SMTP id smtpd.web10.70161.1718967139026423166 for ; Fri, 21 Jun 2024 03:52:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm2 header.b=f4ychl0s; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.225, mailfrom: fm-51332-20240621105216e1e4e0c7b425b82bf6-etz5fa@rts-flowmailer.siemens.com) Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20240621105216e1e4e0c7b425b82bf6 for ; Fri, 21 Jun 2024 12:52:16 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=ZjdepYMROu+i3zRUVIPWq5IWI5dR92DMqn4i48xYn3g=; b=f4ychl0s4eZybIDVX70przrJ7wKeZDct8bYPcT4VCMaMsB4lmXiCUZOtVpivdTEIi6UOhP ZpsFkZcT9zGaxlEk0Ttsi//wsaaRGYLyEVKCaNMgmN4o1bO5ToeGrzhiF0hG2FtEUsLvhPKk 1D0EQGbQeWwJ2efDbmmRdtpqXCdrA=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][PATCH 1/2] doc: Add section howto generate the a efi auth file from snakeoil certs Date: Fri, 21 Jun 2024 12:12:28 +0200 Message-ID: <20240621105215.2233044-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240621105215.2233044-1-Quirin.Gylstorff@siemens.com> References: <20240621105215.2233044-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 21 Jun 2024 10:52:29 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/16313 From: Quirin Gylstorff This allows to test a physical target with the snakeoil keys. Signed-off-by: Quirin Gylstorff --- doc/README.secureboot.md | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index 509de97..c5371ea 100644 --- a/doc/README.secureboot.md +++ b/doc/README.secureboot.md @@ -47,8 +47,7 @@ Supply the script name and path to wic by adding #### secure-boot-snakeoil -This package uses the snakeoil key and certificate from the ovmf package(0.0~20200229-2) -backported from Debian bullseye for signing the image. +This package uses the snakeoil key and certificate from the ovmf packagefrom Debian bullseye or later for signing the image. #### secure-boot-key @@ -284,7 +283,7 @@ sda 8:0 0 6G 0 disk ├─sda1 8:1 0 16.1M 0 part ├─sda2 8:2 0 32M 0 part ├─sda3 8:3 0 32M 0 part -├─sda4 8:4 0 1G 0 part +├─sda4 8:4 0 1G 0 party ├─sda5 8:5 0 1G 0 part │ └─verityroot 252:0 0 110.9M 1 crypt / ├─sda6 8:6 0 1.3G 0 part /home @@ -295,6 +294,18 @@ sda 8:0 0 6G 0 disk Secureboot for a generic UEFI x86 target works similar to the QEMU target, except the enrollment of the secure boot keys. +### Generate keys from Debian snakeoil keys + +For testing the snakeoil keys from OVMF package can be used to convert the certitificate +into a efi authority file use the following commands: +```bash +cert-to-efi-sig-list recipes-devtools/secure-boot-secrets/files/bookworm/PkKek-1-snakeoil.pem PK.esl +sign-efi-sig-list -k recipes-devtools/secure-boot-secrets/files/bookworm/PkKek-1-snakeoil.key -c recipes-devtools/secure-boot-secrets/files/bookworm/PkKek-1-snakeoil.pem PK PK.esl PK.auth +``` + +#### Prerequisites + The package `efitools` needs to be installed. + ### Secure boot key enrollment @@ -316,6 +327,9 @@ Use the recipes [secure-boot-key](###secure-boot-key) to provided the keys to the signing script contained in [ebg-secure-boot-signer](###ebg-secure-boot-signer). + + + ### [ebg-secure-boot-signer](./recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.2.bb) During building a efibootguard based wic image the scripts contained in From patchwork Fri Jun 21 10:12:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 13707276 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F1F2C2BA1A for ; Fri, 21 Jun 2024 10:52:29 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.70035.1718967138791673165 for ; Fri, 21 Jun 2024 03:52:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=Quirin.Gylstorff@siemens.com header.s=fm2 header.b=v0RwCLol; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-51332-2024062110521619d7484e61e4045710-hx52tv@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 2024062110521619d7484e61e4045710 for ; Fri, 21 Jun 2024 12:52:16 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=Quirin.Gylstorff@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:References:In-Reply-To; bh=qQ29ErfXW2yr1XLpmVTVOZNabjM1cOFpzjUnDXXfyTE=; b=v0RwCLolnmQB1ejlH6B6jA1KGjC+bbGRrtDejuTKS0r6hvROa60jUT2T3GtRBwIwg9aT9B sSCUtgvX1jhxd95krwKXBj111gScagMe4cTxk+8e8CrUr1/Lal2TT9Xb1IEQQZsqUjyq3rCr cFSv1cGj5zxBem7bp7/bacJkDxfwg=; From: Quirin Gylstorff To: jan.kiszka@siemens.com, cip-dev@lists.cip-project.org Subject: [cip-dev][isar-cip-core][PATCH 2/2] encryption: assume broken_system_clock for e2fsck before resize Date: Fri, 21 Jun 2024 12:12:29 +0200 Message-ID: <20240621105215.2233044-3-Quirin.Gylstorff@siemens.com> In-Reply-To: <20240621105215.2233044-1-Quirin.Gylstorff@siemens.com> References: <20240621105215.2233044-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 21 Jun 2024 10:52:29 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/16311 From: Quirin Gylstorff Some embedded system have no battery and default to some time to avoid an fsck error do to a superblock in the future. Signed-off-by: Quirin Gylstorff --- .../initramfs-crypt-hook/files/encrypt_partition.script | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script index c319540..ff4c135 100644 --- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script +++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.script @@ -72,7 +72,12 @@ reencrypt_existing_partition() { case $partition_fstype in ext*) # reduce the filesystem and partition by 32M to fit the LUKS header - e2fsck -f "$1" + export E2FSCK_CONFIG=/tmp/e2fsck.conf + cat > "$E2FSCK_CONFIG" << EOF +[options] + broken_system_clock=true +EOF + e2fsck -p -f "$1" if ! resize2fs "$1" "${reduced_size_in_kb}"; then panic "reencryption of filesystem $1 cannot continue!" fi