Re: [isar-cip-core][PATCH v2] README.secureboot: Corrections
On Thu, May 6, 2021 at 12:24 AM, Quirin Gylstorff wrote:
Yes, Quirin, that's sufficient to point it out.
On 5/5/21 6:47 PM, Jan Kiszka wrote:Dinesh, your citation settings are broken. When sending plaintext, as itkas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
is common on public lists, you need to set the mark "> " at the
beginning of all cited line.
On 30.04.21 16:06, Dinesh Kumar wrote:On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:Feel free to send a patch (or MR if that is easier) that adjust things,
From: Quirin Gylstorff <quirin.gylstorff@...>
- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys
Add build command for user generated keys
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
Changes in V2:
- remove unnecessary new-lines
doc/README.secureboot.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..0996edc 100644
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd
contains no keys can be instrumented f
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the
Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or
higher as default Debian buster has older version of qemu and this step
fails with older version.
Also these steps can't be executed remotely as it launches UI window for
QEMU, so it should be done locally.
-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
5. quit QEMU
### Build image
Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
I added the following sentence to the README for the keys:```
-For user-generated keys, create a new option file. This option file
could look like this:
+For user-generated keys, create a new option file in the
repository. This option file could look like this:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates.
The formating is off:The user-generated certificates
+need to stored in the folder
Dinesh is that sufficient?
+Build the image with user-generated keys by executing the command:
the new option>.yml
### Start the image
Where are you taking care of my below point? I don't see it yet
Keys and certs generated by scripts/generate_secure_boot_keys.sh are
not available to build command, so I have to move them in
recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work