Re: [isar-cip-core] README.secureboot.md : Update steps for bullseye version


sai.sathujoda@...
 

Hi Jan & Quirin,

Is this patch still under review ? Please let us know.

Regards,
Sai Ashrith(T S I P)

-----Original Message-----
From: cip-dev@... <cip-dev@...> On Behalf Of Jan Kiszka
Sent: Tuesday, September 20, 2022 9:57 PM
To: ashrith sai(TSIP) <Sai.Sathujoda@...>; cip-dev@...; Quirin Gylstorff <quirin.gylstorff@...>
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@...>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@...>
Subject: Re: [cip-dev] [isar-cip-core] README.secureboot.md : Update steps for bullseye version

On 20.09.22 17:40, Sai.Sathujoda@... wrote:
From: Sai <Sai.Sathujoda@...>

Updated steps to enable secureboot with user-generated & snakeoil keys.

Signed-off-by: Sai <Sai.Sathujoda@...>
---
doc/README.secureboot.md | 62
++++++++++++++++++++++++++--------------
1 file changed, 41 insertions(+), 21 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index
319b4db..977377a 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -76,7 +76,7 @@ Set up a secure boot test environment with
[QEMU](https://www.qemu.org/) ### Debian Snakeoil keys

The build copies the Debian Snakeoil keys to the directory `./build/tmp/deploy/images/<machine>/OVMF.
-You can use them as described in section [Start Image](### Start the image).
+You can use them as described in section [Start Image](#start-the-image).

### Generate Keys

@@ -113,7 +113,7 @@ cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi
secureboot-tools to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented for secureboot.
3. Start QEMU with the script scripts/start-efishell.sh ```
-scripts/start-efishell.sh secureboot-tools
+OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.secboot.fd
+OVMF_VARS=./OVMF_VARS_4M.fd ./scripts/start-efishell.sh
+secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
```
@@ -147,16 +147,28 @@ For user-generated keys, create a new option
file in the repository. This option
header:
version: 10
includes:
- - kas/opt/ebg-secure-boot-base.yml
+ - kas/opt/ebg-swu.yml
+
+local_conf_header:
+ secure-boot-image: |
+ IMAGE_CLASSES += "verity"
+ IMAGE_FSTYPES = "wic"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in"
+ INITRAMFS_INSTALL_append = " initramfs-verity-hook"
+ # abrootfs cannot be installed together with verity
+ INITRAMFS_INSTALL_remove = " initramfs-abrootfs-hook"

local_conf_header:
secure-boot: |
- IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
- IMAGER_INSTALL += "ebg-secure-boot-secrets"
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-signer"
+ IMAGER_INSTALL += "ebg-secure-boot-signer"
+
+# Use user-generated keys
+ PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-key"
+
user-keys: |
- SB_CERTDB = "democertdb"
- SB_VERIFY_CERT = "demo.crt"
- SB_KEY_NAME = "demo"
+ SB_CERT = "demo.crt"
+ SB_KEY = "demo.key"
```

Replace `demo` with the name of the user-generated certificates. The
user-generated certificates @@ -174,7 +186,7 @@ kas-container build
kas-cip.yml:kas/board/qemu-amd64.yml:<path to the new option

Start the image with the following command:
```
-SECURE_BOOT=y \
+SECURE_BOOT=y DISTRO_RELEASE=bullseye \
We should probably flip the defaults in start-qemu.sh now...

./start-qemu.sh amd64
```

@@ -194,27 +206,32 @@ To change the boot behavior, enter `exit` in the
shell to enter the bios and cha #### User-generated keys Start the
image with the following command:
```
-SECURE_BOOT=y \
+SECURE_BOOT=y DISTRO_RELEASE=bullseye \

OVMF_CODE=./build/tmp/deploy/images/qemu-amd64/OVMF/OVMF_CODE_4M.secbo
ot.fd \ OVMF_VARS=<path to the modified OVMF_VARS.fd> \
./start-qemu.sh amd64 ```
-
+After boot check the dmesg for secure boot status like below:
+```
+root@demo:~# dmesg | grep Secure
+[ 0.008368] Secure boot enabled
+```
## Example: Update the image

For updating the image, the following steps are necessary:
-- [Build the image with snakeoil keys](### Build image)
+- [Build the image with snakeoil keys](#build-image)
- save the generated swu
`build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-bullseye-q
emu-amd64.swu` to /tmp
-- modify the image for example add a new version to the image by
adding `PV=2.0.0` to
- [cip-core-image.bb](recipes-core/images/cip-core-image.bb)
-- start the new target and copy the swu
`cip-core-image-cip-core-bullseye-qemu-amd64.swu`
- to the running system, e.g.:
+- modify the image for example, switch to the RT kernel as modification:
+```
+kas-container build
+kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-secure-boot-snakeoil
+.yml:kas/opt/rt.yml
+```
+- start the new target
```
-SECURE=y ./start-qemu.sh amd64 -virtfs
local,path=/tmp,mount_tag=host0,security_model=passthrough,id=host0
+SECURE_BOOT=y DISTRO_RELEASE=bullseye ./start-qemu.sh amd64
```
-- mount `host0` on target with:
+Copy the swu cip-core-image-cip-core-bullseye-qemu-amd64.swu to the
+running system
```
-mount -t 9p -o trans=virtio,version=9p2000.L host0 /mnt
+scp -P 22222 /tmp/cip-core-image-cip-core-bullseye-qemu-amd64.swu
+root@....0.1:/home/
```
- check which partition is booted, e.g. with `lsblk`:
```
@@ -228,8 +245,11 @@ sda 8:0 0 2G 0 disk
└─sda5 8:5 0 1000M 0 part
```

-- install with `swupdate -i
/mnt/cip-core-image-cip-core-bullseye-qemu-amd64.swu`
-- reboot
+- install the swupdate and reboot the image ``` root@demo:~# swupdate
+-i /home/cip-core-image-cip-core-bullseye-qemu-amd64.swu`
+root@demo:~# reboot
+```
- check which partition is booted, e.g. with `lsblk`. The rootfs should have changed:
```
root@demo:~# lsblk
Quirin, could you cross-check as well? Seems fine to me on a quick glance.

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux

Join cip-dev@lists.cip-project.org to automatically receive all group messages.