Date   

[isar-cip-core][Resend PATCH 3/4] .gitlab-ci.yml: Drop 'deploy: disable' from build:qemu-amd64-base

Nobuhiro Iwamatsu
 

This enables uploading of images built with build:qemu-amd64-base.

Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@...>
---
.gitlab-ci.yml | 1 -
1 file changed, 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b53d9cc..64c7b20 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -72,7 +72,6 @@ build:qemu-amd64-base:
use_rt: disable
wic_targz: disable
targz: enable
- deploy: disable

build:qemu-arm64-base:
extends:
--
2.31.1


[isar-cip-core][Resend PATCH 4/4] .gitlab-ci.yml: Add build:qemu-amd64-test target

Nobuhiro Iwamatsu
 

This adds a target for the test image for QEMU/amd64 architecture.

Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@...>
---
.gitlab-ci.yml | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 64c7b20..84c1257 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -125,6 +125,15 @@ build:hihope-rzg2m-test:
extention: test
dtb: renesas/r8a774a1-hihope-rzg2m-ex.dtb

+build:qemu-amd64-test:
+ extends:
+ - .build_base
+ variables:
+ target: qemu-amd64
+ extention: test
+ wic_targz: disable
+ targz: enable
+
build:qemu-arm64-test:
extends:
- .build_base
--
2.31.1


[PATCH 1/4] scripts/deploy-cip-core.sh: Fix uploading tar.gz image

Nobuhiro Iwamatsu
 

Since *.wic.img is always compressed, if this file does not exist (for
example, the extension is tar.gz), the image file upload will fail.
This will check for the extension of the file.

Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@...>
---
scripts/deploy-cip-core.sh | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/scripts/deploy-cip-core.sh b/scripts/deploy-cip-core.sh
index 5b7eab9..3593d51 100755
--- a/scripts/deploy-cip-core.sh
+++ b/scripts/deploy-cip-core.sh
@@ -24,14 +24,17 @@ if [ "${EXTENSION}" != "base" ] ; then
BASE_PATH=build/tmp/deploy/images/$TARGET/cip-core-image-cip-core-$RELEASE-$TARGET-$EXTENSION
fi

-echo "Compressing cip-core-image-cip-core-$RELEASE-$TARGET.wic.img..."
-xz -9 -k $BASE_PATH.wic.img
+if [ -f $BASE_PATH.wic.img ] ; then
+ echo "Compressing cip-core-image-cip-core-$RELEASE-$TARGET.wic.img..."
+ xz -9 -k $BASE_PATH.wic.img

-echo "Uploading artifacts..."
-aws s3 cp --no-progress $BASE_PATH.wic.img.xz s3://download.cip-project.org/cip-core/$TARGET/
+ echo "Uploading artifacts..."
+ aws s3 cp --no-progress $BASE_PATH.wic.img.xz s3://download.cip-project.org/cip-core/$TARGET/
+fi

if [ -f $BASE_PATH.tar.gz ]; then
- aws s3 cp --no-progress $BASE_PATH.tar.gz s3://download.cip-project.org/cip-core/$TARGET/
+ echo "Uploading artifacts..."
+ aws s3 cp --no-progress $BASE_PATH.tar.gz s3://download.cip-project.org/cip-core/$TARGET/
fi

KERNEL_IMAGE=$BASE_PATH-vmlinuz
--
2.31.1


[PATCH 3/4] .gitlab-ci.yml: Drop 'deploy: disable' from build:qemu-amd64-base

Nobuhiro Iwamatsu
 

This enables uploading of images built with build:qemu-amd64-base.

Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@...>
---
.gitlab-ci.yml | 1 -
1 file changed, 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b53d9cc..64c7b20 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -72,7 +72,6 @@ build:qemu-amd64-base:
use_rt: disable
wic_targz: disable
targz: enable
- deploy: disable

build:qemu-arm64-base:
extends:
--
2.31.1


[PATCH 4/4] .gitlab-ci.yml: Add build:qemu-amd64-test target

Nobuhiro Iwamatsu
 

This adds a target for the test image for QEMU/amd64 architecture.

Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@...>
---
.gitlab-ci.yml | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 64c7b20..84c1257 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -125,6 +125,15 @@ build:hihope-rzg2m-test:
extention: test
dtb: renesas/r8a774a1-hihope-rzg2m-ex.dtb

+build:qemu-amd64-test:
+ extends:
+ - .build_base
+ variables:
+ target: qemu-amd64
+ extention: test
+ wic_targz: disable
+ targz: enable
+
build:qemu-arm64-test:
extends:
- .build_base
--
2.31.1


[PATCH 2/4] scripts/deploy-cip-core.sh: Fix to correct filename with security extension

Nobuhiro Iwamatsu
 

Since security extension uses the bb file, not the extension using local.conf,
the generated filename is different.
This sets the correct filename for security extensions.

Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@...>
---
scripts/deploy-cip-core.sh | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/scripts/deploy-cip-core.sh b/scripts/deploy-cip-core.sh
index 3593d51..0b8bbe6 100755
--- a/scripts/deploy-cip-core.sh
+++ b/scripts/deploy-cip-core.sh
@@ -19,13 +19,19 @@ TARGET=$2
EXTENSION=$3
DTB=$4

-BASE_PATH=build/tmp/deploy/images/$TARGET/cip-core-image-cip-core-$RELEASE-$TARGET
+BASE_FILENAME=cip-core-image-cip-core-$RELEASE-$TARGET
if [ "${EXTENSION}" != "base" ] ; then
- BASE_PATH=build/tmp/deploy/images/$TARGET/cip-core-image-cip-core-$RELEASE-$TARGET-$EXTENSION
+ if [ "${EXTENSION}" = "security" ] ; then
+ BASE_FILENAME=cip-core-image-$EXTENSION-cip-core-$RELEASE-$TARGET
+ else
+ BASE_FILENAME=cip-core-image-cip-core-$RELEASE-$TARGET-$EXTENSION
+ fi
fi

+BASE_PATH=build/tmp/deploy/images/$TARGET/$BASE_FILENAME
+
if [ -f $BASE_PATH.wic.img ] ; then
- echo "Compressing cip-core-image-cip-core-$RELEASE-$TARGET.wic.img..."
+ echo "Compressing $BASE_FILENAME.wic.img..."
xz -9 -k $BASE_PATH.wic.img

echo "Uploading artifacts..."
--
2.31.1


Re: [PATCH 2/2] [isar-cip-core] Add support qemu-arm

Nobuhiro Iwamatsu
 

Hi Jan,

-----Original Message-----
From: Jan Kiszka [mailto:jan.kiszka@...]
Sent: Thursday, April 29, 2021 4:25 PM
To: iwamatsu nobuhiro(岩松 信洋 □SWC◯ACT) <nobuhiro1.iwamatsu@...>
Cc: cip-dev@...
Subject: Re: [PATCH 2/2] [isar-cip-core] Add support qemu-arm

On 08.04.21 04:32, Nobuhiro Iwamatsu wrote:
This adds configuration files to support QEMU/arm.
This is intended to be used for a test image of LAVA of CIP.

Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@...>
---
.gitlab-ci.yml | 19 +++++++++++++++++++
conf/machine/qemu-arm.conf | 14 ++++++++++++++
kas/board/qemu-arm.yml | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
create mode 100644 conf/machine/qemu-arm.conf
create mode 100644 kas/board/qemu-arm.yml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 01d9609..b53d9cc 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -84,6 +84,16 @@ build:qemu-arm64-base:
wic_targz: disable
targz: enable

+build:qemu-arm-base:
+ extends:
+ - .build_base
+ variables:
+ target: qemu-arm
+ extention: security
+ use_rt: disable
+ wic_targz: disable
+ targz: enable
+
# test
build:simatic-ipc227e-test:
extends:
@@ -124,3 +134,12 @@ build:qemu-arm64-test:
extention: test
wic_targz: disable
targz: enable
+
+build:qemu-arm-test:
+ extends:
+ - .build_base
+ variables:
+ target: qemu-arm
+ extention: test
+ wic_targz: disable
+ targz: enable
diff --git a/conf/machine/qemu-arm.conf b/conf/machine/qemu-arm.conf
new file mode 100644
index 0000000..81a22c1
--- /dev/null
+++ b/conf/machine/qemu-arm.conf
@@ -0,0 +1,14 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2019
+# Copyright (c) TOSHIBA CORPORATION, 2021
+#
+# SPDX-License-Identifier: MIT
+#
+
+DISTRO_ARCH = "armhf"
+
+IMAGE_TYPE ?= "ext4-img"
+USE_CIP_KERNEL_CONFIG = "1"
+KERNEL_DEFCONFIG ?= "cip-kernel-config/4.19.y-cip/arm/qemu_arm_defconfig"
diff --git a/kas/board/qemu-arm.yml b/kas/board/qemu-arm.yml
new file mode 100644
index 0000000..9bf9728
--- /dev/null
+++ b/kas/board/qemu-arm.yml
@@ -0,0 +1,16 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2019
+# Copyright (c) TOSHIBA CORPORATION, 2021
+#
+# Authors:
+# Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@...>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 10
+
+machine: qemu-arm
It looks to me we have some regressions in master (which does
deployment), caused by these commits. Could you have a look at

https://gitlab.com/cip-project/cip-core/isar-cip-core/-/pipelines/294203272
OK, this is a issue when uploading a built image. I have not looked into
The featute in detail. I will fix this.

TIA,
Jan
Best regards,
Nobuhiro


[isar-cip-core][PATCH] kas/opt: Restructure ebg-swu.yml and qemu-swupdate.yml

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

The kas files ebg-swu.yml and qemu-swupdate.yml overlap in
some cases. Clarify their use by moving all efibootguard related
configuration to efibootguard.yml. Configuration items corresponding
with SWUpdate are moved to swupdate.yml. The option swupdate.yml is
independent of the bootloader/cpu-architecture.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
doc/README.secureboot.md | 5 ++---
kas/opt/ebg-secure-boot-base.yml | 2 ++
kas/opt/{ebg-swu.yml => efibootguard.yml} | 12 ++++++------
kas/opt/{qemu-swupdate.yml => swupdate.yml} | 10 +++++++---
4 files changed, 17 insertions(+), 12 deletions(-)
rename kas/opt/{ebg-swu.yml => efibootguard.yml} (66%)
rename kas/opt/{qemu-swupdate.yml => swupdate.yml} (52%)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 0996edc..b5056f2 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -142,7 +142,7 @@ Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:

```
-kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

For user-generated keys, create a new option file in the repository. This option file could look like this:
@@ -150,7 +150,6 @@ For user-generated keys, create a new option file in the repository. This option
header:
version: 10
includes:
- - kas/opt/ebg-swu.yml
- kas/opt/ebg-secure-boot-base.yml

local_conf_header:
@@ -169,7 +168,7 @@ need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
Build the image with user-generated keys by executing the command:

```
-kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:<path to the new option>.yml
```

### Start the image
diff --git a/kas/opt/ebg-secure-boot-base.yml b/kas/opt/ebg-secure-boot-base.yml
index 30ca35a..35fb42e 100644
--- a/kas/opt/ebg-secure-boot-base.yml
+++ b/kas/opt/ebg-secure-boot-base.yml
@@ -11,6 +11,8 @@

header:
version: 10
+ includes:
+ - efibootguard.yml

local_conf_header:
initramfs: |
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/efibootguard.yml
similarity index 66%
rename from kas/opt/ebg-swu.yml
rename to kas/opt/efibootguard.yml
index 63dda09..544c740 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/efibootguard.yml
@@ -8,19 +8,19 @@
#
# SPDX-License-Identifier: MIT
#
+# This kas file adds efibootguard as the bootloader to the image

header:
version: 10

local_conf_header:
- swupdate: |
- IMAGE_INSTALL_append = " swupdate efibootguard"
+ efibootguard: |
+ IMAGE_INSTALL_append = " efibootguard"
+
+ efibootguard-swupdate: |
SWUPDATE_BOOTLOADER = "efibootguard"

- efibootguard: |
+ efibootguard-wic: |
WDOG_TIMEOUT = "0"
WICVARS += "WDOG_TIMEOUT"

- wic: |
- IMAGE_TYPE = "wic-swu-img"
- WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
diff --git a/kas/opt/qemu-swupdate.yml b/kas/opt/swupdate.yml
similarity index 52%
rename from kas/opt/qemu-swupdate.yml
rename to kas/opt/swupdate.yml
index daebd2c..e622972 100644
--- a/kas/opt/qemu-swupdate.yml
+++ b/kas/opt/swupdate.yml
@@ -8,12 +8,16 @@
#
# SPDX-License-Identifier: MIT
#
-
+# This kas file adds swupdate and generates a ${IMAGE_NAME}.swu
+# from the first wic partition

header:
version: 10

local_conf_header:
- qemu-wic: |
+ swupdate: |
+ IMAGE_INSTALL_append = " swupdate"
+
+ wic-swu: |
IMAGE_TYPE ?= "wic-swu-img"
- WKS_FILE = "qemu-amd64-${SWUPDATE_BOOTLOADER}.wks"
+ WKS_FILE = "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
--
2.20.1


Re: [isar-cip-core][PATCH v4 0/2] swupdate-config: variables cleanup

Jan Kiszka
 

On 06.05.21 16:12, Gylstorff Quirin wrote:


On 5/5/21 6:43 PM, Jan Kiszka wrote:
On 05.05.21 10:21, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

This patch removes the variable U_BOOT from the swupdate-config.bbclass.
It also adds the suffix `SWUPDATE` to the variable BOOTLOADER.

If a custom u-boot is used in concunction with swupdate it is
recommened to set `U_BOOT_CONFIG_PACKAGE` to '1'. This now adds
a dependency from SWupdate to u-boot-{MACHINE}-config for installing
fw_env.config.

Changes in V2:
  - fix typo in commit message
  - use variable in kas/opt/*.yml

Changes in V3:
  - remove variable U_BOOT
  - split into 2 commits

Changes in V4:
  - Add missing Changes log
  - Correct commit message

Quirin Gylstorff (2):
   swupdate-config: remove variable U_BOOT
   swupdate-config: add prefix to variable BOOTLOADER

  classes/swupdate-config.bbclass      | 17 ++++++++++-------
  kas/opt/ebg-secure-boot-snakeoil.yml |  2 +-
  kas/opt/ebg-swu.yml                  |  4 ++--
  kas/opt/qemu-swupdate.yml            |  2 +-
  4 files changed, 14 insertions(+), 11 deletions(-)
Thanks, applied to next.

We may eventually also want to do a renaming of qemu-swupdate.yml to
qemu-amd64-swupdate.yml - just for the case that there will also be ARM
qemu target to demonstrate/test swupdate.
Alternative would be to change
`
-WKS_FILE = "qemu-amd64-${SWUPDATE_BOOTLOADER}.wks"
+WKS_FILE = "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
`
Right, that file is only an option file anyway.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][PATCH v4 0/2] swupdate-config: variables cleanup

Quirin Gylstorff
 

On 5/5/21 6:43 PM, Jan Kiszka wrote:
On 05.05.21 10:21, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

This patch removes the variable U_BOOT from the swupdate-config.bbclass.
It also adds the suffix `SWUPDATE` to the variable BOOTLOADER.

If a custom u-boot is used in concunction with swupdate it is
recommened to set `U_BOOT_CONFIG_PACKAGE` to '1'. This now adds
a dependency from SWupdate to u-boot-{MACHINE}-config for installing
fw_env.config.

Changes in V2:
- fix typo in commit message
- use variable in kas/opt/*.yml

Changes in V3:
- remove variable U_BOOT
- split into 2 commits

Changes in V4:
- Add missing Changes log
- Correct commit message

Quirin Gylstorff (2):
swupdate-config: remove variable U_BOOT
swupdate-config: add prefix to variable BOOTLOADER

classes/swupdate-config.bbclass | 17 ++++++++++-------
kas/opt/ebg-secure-boot-snakeoil.yml | 2 +-
kas/opt/ebg-swu.yml | 4 ++--
kas/opt/qemu-swupdate.yml | 2 +-
4 files changed, 14 insertions(+), 11 deletions(-)
Thanks, applied to next.
We may eventually also want to do a renaming of qemu-swupdate.yml to
qemu-amd64-swupdate.yml - just for the case that there will also be ARM
qemu target to demonstrate/test swupdate.
Alternative would be to change
`
-WKS_FILE = "qemu-amd64-${SWUPDATE_BOOTLOADER}.wks"
+WKS_FILE = "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
`
Quirin
Jan


Re: [isar-cip-core][PATCH v2] README.secureboot: Corrections

Dinesh Kumar
 

On Thu, May 6, 2021 at 12:24 AM, Quirin Gylstorff wrote:




On 5/5/21 6:47 PM, Jan Kiszka wrote:
Dinesh, your citation settings are broken. When sending plaintext, as it
is common on public lists, you need to set the mark "> " at the
beginning of all cited line.

On 30.04.21 16:06, Dinesh Kumar wrote:
On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:

From: Quirin Gylstorff <quirin.gylstorff@...>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---

Changes in V2:
- remove unnecessary new-lines

doc/README.secureboot.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..0996edc 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd
contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the
following steps:

+```

Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or
higher as default Debian buster has older version of qemu and this step
fails with older version.
Also these steps can't be executed remotely as it launches UI window for
QEMU, so it should be done locally.
Feel free to send a patch (or MR if that is easier) that adjust things,
Dinesh.


-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build
kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file
could look like this:
+For user-generated keys, create a new option file in the
repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates.
I added the following sentence to the README for the keys:

The formating is off:
The user-generated certificates
+need to stored in the folder
`recipes-devtools/ebg-secure-boot-secrets/files`.

Dinesh is that sufficient?
Yes, Quirin, that's sufficient to point it out.

Quirin
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build
kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to
the new option>.yml
+```

### Start the image

Where are you taking care of my below point? I don't see it yet

Keys and certs generated by scripts/generate_secure_boot_keys.sh are
not available to build command, so I have to move them in
recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work
Quirin?

Jan


Re: [isar-cip-core][PATCH v2] README.secureboot: Corrections

Dinesh Kumar
 

On Wed, May 5, 2021 at 10:17 PM, Jan Kiszka wrote:


Dinesh, your citation settings are broken. When sending plaintext, as it
is common on public lists, you need to set the mark "> " at the
beginning of all cited line.
Yes, just now I have changed settings and made it plaintext while replying, earlier it was HTML. I hope it will fix this issue.
Thanks for pointing it.

On 30.04.21 16:06, Dinesh Kumar wrote:
On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:

From: Quirin Gylstorff <quirin.gylstorff@...>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---

Changes in V2:
- remove unnecessary new-lines

doc/README.secureboot.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..0996edc 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd
contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the
following steps:

+```

Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or
higher as default Debian buster has older version of qemu and this step
fails with older version.
Also these steps can't be executed remotely as it launches UI window for
QEMU, so it should be done locally.
Feel free to send a patch (or MR if that is easier) that adjust things,
Dinesh.
Sure, I will do that.

-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build
kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file
could look like this:
+For user-generated keys, create a new option file in the
repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates.
The user-generated certificates
+need to stored in the folder
`recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build
kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to
the new option>.yml
+```

### Start the image

Where are you taking care of my below point? I don't see it yet

Keys and certs generated by scripts/generate_secure_boot_keys.sh are
not available to build command, so I have to move them in
recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work
Quirin?

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


CIP IRC weekly meeting today

masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
 

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2021&month=5&day=6&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2021/04/cip.2021-04-22-09.00.log.html

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
2. Do some experiment to lower burdens on CI - patersonc
3. Monitor the status of CVE-2021-3444 and CVE-2021-20292 (3/25) - Kernel Team
4. Monitor the status of CVE-2021-29650 (4/1) - Kernel Team
5. Update Testing table below with 5.10 info - patersonc
https://wiki.linuxfoundation.org/civilinfrastructureplatform/ciptesting/centalisedtesting/cioverview
6. Ask the needs to backport CVE-2021-23133 [net/sctp: race in sctp_destroy_sock] (4/22)


* Kernel maintenance updates
* Kernel testing
* AOB

The meeting will take 30 min, although it can be extended to an hour if it makes sense and those involved in the topics can stay. Otherwise, the topic will be taken offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


Re: [isar-cip-core][PATCH v2] README.secureboot: Corrections

Quirin Gylstorff
 

On 5/5/21 6:47 PM, Jan Kiszka wrote:
Dinesh, your citation settings are broken. When sending plaintext, as it
is common on public lists, you need to set the mark "> " at the
beginning of all cited line.
On 30.04.21 16:06, Dinesh Kumar wrote:
On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:

From: Quirin Gylstorff <quirin.gylstorff@...>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---

Changes in V2:
- remove unnecessary new-lines

doc/README.secureboot.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..0996edc 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd
contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the
following steps:

+```

Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or
higher as default Debian buster has older version of qemu and this step
fails with older version.
Also these steps can't be executed remotely as it launches UI window for
QEMU, so it should be done locally.
Feel free to send a patch (or MR if that is easier) that adjust things,
Dinesh.


-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build
kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file
could look like this:
+For user-generated keys, create a new option file in the
repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates.
I added the following sentence to the README for the keys:

The formating is off:
The user-generated certificates
+need to stored in the folder
`recipes-devtools/ebg-secure-boot-secrets/files`.

Dinesh is that sufficient?


Quirin
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build
kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to
the new option>.yml
+```

### Start the image

Where are you taking care of my below point? I don't see it yet

Keys and certs generated by scripts/generate_secure_boot_keys.sh are
not available to build command, so I have to move them in
recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work
Quirin?
Jan


Re: [isar-cip-core][PATCH v4 0/2] swupdate-config: variables cleanup

Jan Kiszka
 

On 05.05.21 10:21, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

This patch removes the variable U_BOOT from the swupdate-config.bbclass.
It also adds the suffix `SWUPDATE` to the variable BOOTLOADER.

If a custom u-boot is used in concunction with swupdate it is
recommened to set `U_BOOT_CONFIG_PACKAGE` to '1'. This now adds
a dependency from SWupdate to u-boot-{MACHINE}-config for installing
fw_env.config.

Changes in V2:
- fix typo in commit message
- use variable in kas/opt/*.yml

Changes in V3:
- remove variable U_BOOT
- split into 2 commits

Changes in V4:
- Add missing Changes log
- Correct commit message

Quirin Gylstorff (2):
swupdate-config: remove variable U_BOOT
swupdate-config: add prefix to variable BOOTLOADER

classes/swupdate-config.bbclass | 17 ++++++++++-------
kas/opt/ebg-secure-boot-snakeoil.yml | 2 +-
kas/opt/ebg-swu.yml | 4 ++--
kas/opt/qemu-swupdate.yml | 2 +-
4 files changed, 14 insertions(+), 11 deletions(-)
Thanks, applied to next.

We may eventually also want to do a renaming of qemu-swupdate.yml to
qemu-amd64-swupdate.yml - just for the case that there will also be ARM
qemu target to demonstrate/test swupdate.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: [isar-cip-core][PATCH v2] README.secureboot: Corrections

Jan Kiszka
 

Dinesh, your citation settings are broken. When sending plaintext, as it
is common on public lists, you need to set the mark "> " at the
beginning of all cited line.

On 30.04.21 16:06, Dinesh Kumar wrote:
On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:

From: Quirin Gylstorff <quirin.gylstorff@...>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---

Changes in V2:
- remove unnecessary new-lines

doc/README.secureboot.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..0996edc 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd
contains no keys can be instrumented f
scripts/start-efishell.sh secureboot-tools
```
4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the
following steps:

+```

Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or
higher as default Debian buster has older version of qemu and this step
fails with older version.
Also these steps can't be executed remotely as it launches UI window for
QEMU, so it should be done locally.
Feel free to send a patch (or MR if that is easier) that adjust things,
Dinesh.


-> "Edit Keys"
-> "The Allowed Signatures Database (db)"
-> "Add New Key"
@@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
-> "Replace Key(s)"
-> Change/Confirm device
-> Select "PK.auth" file
+```
5. quit QEMU

### Build image

Build the image with a signed efibootguard and unified kernel image
with the snakeoil keys by executing:
+
```
kas-container build
kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
```

-For user-generated keys, create a new option file. This option file
could look like this:
+For user-generated keys, create a new option file in the
repository. This option file could look like this:
```
header:
version: 10
includes:
- - opt/ebg-swu.yml
- - opt/ebg-secure-boot-initramfs.yml
+ - kas/opt/ebg-swu.yml
+ - kas/opt/ebg-secure-boot-base.yml

local_conf_header:
secure-boot: |
IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
IMAGER_INSTALL += "ebg-secure-boot-secrets"
- user-keys:
+ user-keys: |
SB_CERTDB = "democertdb"
SB_VERIFY_CERT = "demo.crt"
SB_KEY_NAME = "demo"
```

-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates.
The user-generated certificates
+need to stored in the folder
`recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build
kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to
the new option>.yml
+```

### Start the image

Where are you taking care of my below point? I don't see it yet

Keys and certs generated by scripts/generate_secure_boot_keys.sh are
not available to build command, so I have to move them in
recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work
Quirin?

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Re: Cip-kernel-sec Updates for Week of 2021-05-05

Chen-Yu Tsai (Moxa) <wens@...>
 

On Wed, May 5, 2021 at 4:34 PM Pavel Machek <pavel@...> wrote:

Hi!

- CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
Likely needs backport to 4.9 and earlier.
Backport is trivial in this case.

Additionally, one old CVE is now fixed:
- CVE-2020-26541
This is UEFI secure boot, and it is more of "implement missing
blacklist functionality" than a bugfix.

If someone uses secure boot on UEFI, we may need to do this, but
perhaps noone is doing that.
No idea. All the servers I touched at work were still booting via
legacy BIOS. Mind you that these were old servers. The latest machine
we have, an AMD EPYC 7002, is UEFI only. I never looked at the
settings though.

ChenYu

Best regards,
Pavel

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index eab3f7325e31..a6e6a852c9e8 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -524,7 +524,7 @@ static int list_devices(struct dm_ioctl *param, size_t param_size)
* Grab our output buffer.
*/
nl = get_result_buffer(param, param_size, &len);
- if (len < needed) {
+ if (len < needed || len < sizeof(nl->dev)) {
param->flags |= DM_BUFFER_FULL_FLAG;
goto out;
}

Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Re: Cip-kernel-sec Updates for Week of 2021-05-05

Pavel Machek
 

Hi!

- CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
Likely needs backport to 4.9 and earlier.
Backport is trivial in this case.

Additionally, one old CVE is now fixed:
- CVE-2020-26541
This is UEFI secure boot, and it is more of "implement missing
blacklist functionality" than a bugfix.

If someone uses secure boot on UEFI, we may need to do this, but
perhaps noone is doing that.

Best regards,
Pavel

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index eab3f7325e31..a6e6a852c9e8 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -524,7 +524,7 @@ static int list_devices(struct dm_ioctl *param, size_t param_size)
* Grab our output buffer.
*/
nl = get_result_buffer(param, param_size, &len);
- if (len < needed) {
+ if (len < needed || len < sizeof(nl->dev)) {
param->flags |= DM_BUFFER_FULL_FLAG;
goto out;
}

Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


[isar-cip-core][PATCH v4 2/2] swupdate-config: add prefix to variable BOOTLOADER

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

The variable BOOTLOADER is only used for swupdate.
Add the prefix SWUPDATE to indicate the intended usage.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
classes/swupdate-config.bbclass | 8 ++++----
kas/opt/ebg-secure-boot-snakeoil.yml | 2 +-
kas/opt/ebg-swu.yml | 4 ++--
kas/opt/qemu-swupdate.yml | 2 +-
4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/classes/swupdate-config.bbclass b/classes/swupdate-config.bbclass
index 5af4eba..4e46b37 100644
--- a/classes/swupdate-config.bbclass
+++ b/classes/swupdate-config.bbclass
@@ -60,7 +60,7 @@ KFEATURE_u-boot[KCONFIG_SNIPPETS] = "file://swupdate_defconfig_u-boot.snippet"
SWUPDATE_LUASCRIPT ?= "swupdate_handlers.lua"

def get_bootloader_featureset(d):
- bootloader = d.getVar("BOOTLOADER", True) or ""
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
if bootloader == "efibootguard":
return "efibootguard"
if bootloader == "u-boot":
@@ -71,11 +71,11 @@ SWUPDATE_KFEATURES ??= ""
KFEATURES = "${SWUPDATE_KFEATURES}"
KFEATURES += "${@get_bootloader_featureset(d)}"

-# Astonishingly, as an anonymous python function, BOOTLOADER is always None
+# Astonishingly, as an anonymous python function, SWUPDATE_BOOTLOADER is always None
# one time before it gets set. So the following must be a task.
python do_check_bootloader () {
- bootloader = d.getVar("BOOTLOADER", True) or "None"
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or "None"
if not bootloader in ["efibootguard", "u-boot"]:
- bb.warn("swupdate: BOOTLOADER set to incompatible value: " + bootloader)
+ bb.warn("swupdate: SWUPDATE_BOOTLOADER set to incompatible value: " + bootloader)
}
addtask check_bootloader before do_fetch
diff --git a/kas/opt/ebg-secure-boot-snakeoil.yml b/kas/opt/ebg-secure-boot-snakeoil.yml
index 8a72084..c0ed1a2 100644
--- a/kas/opt/ebg-secure-boot-snakeoil.yml
+++ b/kas/opt/ebg-secure-boot-snakeoil.yml
@@ -20,7 +20,7 @@ local_conf_header:
# Add snakeoil and ovmf binaries for qemu
IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil ovmf-binaries"
IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
- WKS_FILE = "${MACHINE}-${BOOTLOADER}-secureboot.wks"
+ WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks"

ovmf: |
# snakeoil certs are only part of backports
diff --git a/kas/opt/ebg-swu.yml b/kas/opt/ebg-swu.yml
index aa3aed1..63dda09 100644
--- a/kas/opt/ebg-swu.yml
+++ b/kas/opt/ebg-swu.yml
@@ -15,7 +15,7 @@ header:
local_conf_header:
swupdate: |
IMAGE_INSTALL_append = " swupdate efibootguard"
- BOOTLOADER = "efibootguard"
+ SWUPDATE_BOOTLOADER = "efibootguard"

efibootguard: |
WDOG_TIMEOUT = "0"
@@ -23,4 +23,4 @@ local_conf_header:

wic: |
IMAGE_TYPE = "wic-swu-img"
- WKS_FILE ?= "${MACHINE}-${BOOTLOADER}.wks"
+ WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks"
diff --git a/kas/opt/qemu-swupdate.yml b/kas/opt/qemu-swupdate.yml
index 3f5fedf..daebd2c 100644
--- a/kas/opt/qemu-swupdate.yml
+++ b/kas/opt/qemu-swupdate.yml
@@ -16,4 +16,4 @@ header:
local_conf_header:
qemu-wic: |
IMAGE_TYPE ?= "wic-swu-img"
- WKS_FILE = "qemu-amd64-${BOOTLOADER}.wks"
+ WKS_FILE = "qemu-amd64-${SWUPDATE_BOOTLOADER}.wks"
--
2.20.1


[isar-cip-core][PATCH v4 0/2] swupdate-config: variables cleanup

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@...>

This patch removes the variable U_BOOT from the swupdate-config.bbclass.
It also adds the suffix `SWUPDATE` to the variable BOOTLOADER.

If a custom u-boot is used in concunction with swupdate it is
recommened to set `U_BOOT_CONFIG_PACKAGE` to '1'. This now adds
a dependency from SWupdate to u-boot-{MACHINE}-config for installing
fw_env.config.

Changes in V2:
- fix typo in commit message
- use variable in kas/opt/*.yml

Changes in V3:
- remove variable U_BOOT
- split into 2 commits

Changes in V4:
- Add missing Changes log
- Correct commit message

Quirin Gylstorff (2):
swupdate-config: remove variable U_BOOT
swupdate-config: add prefix to variable BOOTLOADER

classes/swupdate-config.bbclass | 17 ++++++++++-------
kas/opt/ebg-secure-boot-snakeoil.yml | 2 +-
kas/opt/ebg-swu.yml | 4 ++--
kas/opt/qemu-swupdate.yml | 2 +-
4 files changed, 14 insertions(+), 11 deletions(-)

--
2.20.1

3681 - 3700 of 10124