[isar-cip-core][PATCH v4 0/6] secureboot with efibootguard


Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This patchset adds secureboot with efibootguard to cip-core.

The image build signs the efibootguard bootloader (bootx64.efi) and generates
a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/).
A unified kernel image packs the kernel, initramfs and the kernel command-line
in one binary object. As the kernel command-line is immutable after the build
process, the previous selection of the root file system with a command-line parameter is no longer
possible. Therefore the selection of the root file-system occurs now in the initramfs.

The image uses an A/B partition layout to update the root file system. The sample implementation to
select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs.
During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs.
If a match is found the rootfs is used for the boot.

Changes V2:

- rebase to [1]
- removed luahandler patch as it now part of [1]
- add handling for sw-description

Changes V3:

- rewrite the image id creation to ensure a new uuid is generated if a new package is
added or another change of the rootfs
- add readme section how to execute/test the software update mechnism
- adapt to version v3 of [1]
- update the patch
- add wks file for efibootguard and swupdate

[1]: a/b rootfsupdate with software update

Changes V4:

- rebase onto next 619edb509bd287277749580cbc842e57d5044756
- fix indent of ./start-qemu.sh
- whitespace fixes
- update libubootenv patch to v2
- update revision of cip-kernel-config to ca24d965adf77730caf1cd32bdfcffd69e369502
to boot secureboot with qemu
- swupdate swdescription for non-secure-boot images

Quirin Gylstorff (6):
linux-cip: Update revision of kernel config
isar-patch: Add initramfs-config patch
secure-boot: select boot partition in initramfs
secure-boot: Add secure boot with unified kernel image
secure-boot: Add Debian snakeoil keys for ease-of-use
doc: Add README for secureboot

classes/image_uuid.bbclass | 33 +++
conf/distro/debian-buster-backports.list | 1 +
conf/distro/preferences.ovmf-snakeoil.conf | 3 +
doc/README.secureboot.md | 229 ++++++++++++++++++
.../0001-u-boot-add-libubootenv.patch | 161 ++++++------
...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++
kas-cip.yml | 3 +
kas/opt/ebg-secure-boot-base.yml | 18 ++
kas/opt/ebg-secure-boot-snakeoil.yml | 28 +++
kas/opt/ebg-swu.yml | 4 +-
recipes-core/images/cip-core-image.bb | 12 +-
.../files/secure-boot/sw-description.tmpl | 29 +++
recipes-core/images/files/sw-description.tmpl | 19 +-
recipes-core/images/secureboot.inc | 21 ++
recipes-core/images/swupdate.inc | 21 ++
.../ebg-secure-boot-secrets_0.1.bb | 51 ++++
.../ebg-secure-boot-secrets/files/README.md | 1 +
.../files/control.tmpl | 12 +
.../files/sign_secure_image.sh.tmpl | 22 ++
.../ebg-secure-boot-snakeoil_0.1.bb | 34 +++
.../files/control.tmpl | 12 +
.../files/sign_secure_image.sh | 36 +++
.../ovmf-binaries/files/control.tmpl | 11 +
.../ovmf-binaries/ovmf-binaries_0.1.bb | 30 +++
recipes-kernel/linux/linux-cip-common.inc | 2 +-
.../files/initramfs.image_uuid.hook | 33 +++
.../files/initramfs.lsblk.hook | 29 +++
.../initramfs-config/files/postinst.ext | 3 +
.../files/secure-boot-debian-local-patch | 79 ++++++
.../initramfs-abrootfs-secureboot_0.1.bb | 38 +++
...enerate-sb-db-from-existing-certificate.sh | 16 ++
scripts/generate_secure_boot_keys.sh | 51 ++++
.../wic/plugins/source/efibootguard-boot.py | 87 ++++++-
.../wic/plugins/source/efibootguard-efi.py | 40 ++-
scripts/start-efishell.sh | 12 +
start-qemu.sh | 59 +++--
wic/ebg-signed-bootloader.inc | 2 +
wic/qemu-amd64-efibootguard-secureboot.wks | 9 +
wic/qemu-amd64-efibootguard.wks | 1 -
39 files changed, 1330 insertions(+), 129 deletions(-)
create mode 100644 classes/image_uuid.bbclass
create mode 100644 conf/distro/debian-buster-backports.list
create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf
create mode 100644 doc/README.secureboot.md
create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch
create mode 100644 kas/opt/ebg-secure-boot-base.yml
create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml
create mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl
create mode 100644 recipes-core/images/secureboot.inc
create mode 100644 recipes-core/images/swupdate.inc
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl
create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh
create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl
create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb
create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook
create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook
create mode 100644 recipes-support/initramfs-config/files/postinst.ext
create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch
create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb
create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh
create mode 100755 scripts/generate_secure_boot_keys.sh
create mode 100755 scripts/start-efishell.sh
create mode 100644 wic/ebg-signed-bootloader.inc
create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks

--
2.20.1

Join cip-dev@lists.cip-project.org to automatically receive all group messages.