diff mbox series

[isar-cip-core] doc/REAME.secureboot.md: Add MCOM specific secure boot details

Message ID 20240701064005.1651999-1-Shivanand.Kunijadar@toshiba-tsip.com (mailing list archive)
State Superseded
Headers show
Series [isar-cip-core] doc/REAME.secureboot.md: Add MCOM specific secure boot details | expand

Commit Message

Shivanand Kunijadar July 1, 2024, 6:40 a.m. UTC
Add separate section to configure and verify secure boot on MCOM device.
This section includes the detailed steps to enable secure boot via BIOS
and inject keys using Keytool.efi and finally the verification part.

Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com>
---
 doc/README.secureboot.md | 85 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 84 insertions(+), 1 deletion(-)

Comments

Jan Kiszka July 1, 2024, 7:47 a.m. UTC | #1
On 01.07.24 08:40, Shivanand wrote:
> Add separate section to configure and verify secure boot on MCOM device.
> This section includes the detailed steps to enable secure boot via BIOS
> and inject keys using Keytool.efi and finally the verification part.
> 
> Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com>
> ---
>  doc/README.secureboot.md | 85 +++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 84 insertions(+), 1 deletion(-)
> 
> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
> index 3ae4154..7917207 100644
> --- a/doc/README.secureboot.md
> +++ b/doc/README.secureboot.md
> @@ -322,7 +322,28 @@ The following keys need to be enrolled onto the device:
>  
>  The enrollment can typically be achieved with the help of
>  [efi-updatevar](https://manpages.debian.org/bookworm/efitools/efi-updatevar.1.en.html)
> -on the device. Otherwise, consult the manual of the specific UEFI Firmware.
> +on the device.
> +
> +If the device supports built in EFI shell then the enrollment of keys can also be done by KeyTool.efi tool like below:
> +
> +Format the USB memory stick
> +
> +```
> +host$ sudo mkfs.vfat <usb device>
> +host$ sudo mount -t vfat /dev/<usb device> /mnt/
> +```
> +
> +Copy the KeyTool.efi binary and self signed Secure Boot keys to USB stick
> +
> +Here the folder "keys" contains Secure Boot keys(DB, KEK and PK).
> +```
> +host$ sudo apt install efitools
> +host$ sudo mkdir -p /mnt/efi/boot
> +host$ sudo cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi /mnt/efi/boot/KeyTool.efi
> +host$ sudo cp -r keys /mnt/
> +host$ sudo umount /mnt
> +```
> +Launch KeyTool.efi binary from the built in EFI shell and follow step-4 from the section [Add Keys to OVMF](#add-keys-to-ovmf) to inject Secure Boot keys. Otherwise, consult the manual of the specific UEFI Firmware.
>  
>  Use the recipes [secure-boot-key](###secure-boot-key) to provided the keys
>  to the signing script contained in
> @@ -334,3 +355,65 @@ During building a efibootguard based wic image the scripts contained in
>  the recipe ebg-secure-boot-signer can be used to sign the bootloader and
>  unified kernel image(UKI). If the keys are stored in a HSM the script can
>  be exchanged to sign the artifacts in a more secure way.
> +
> +### Secure Boot configurations and verification on M-COM(X86)
> +
> +**Note:**
> +* All the steps are specific to M-COM RT X86 V1 device hence consult device specific manual for other devices for Secure Boot verification.
> +
> +Copy KeyTool.efi and UEFI keys into USB stick as mentioned in [Secure boot key enrollment](#secure-boot-key-enrollment)
> +
> +Insert USB memory stick to M-COM device.
> +
> +Power on and Press F12 key to Enter BIOS setup.
> +
> +**Note:**
> +* if you want to restore the default BIOS settings then
> +Under "Save & Exit" tab, Click on "Restore User Defaults" and select "Yes" to restore default values.
> +
> +Enable Secure Boot and enter to Setup Mode by following below steps
> +
> +**Note:**
> +* Due to following step, old keys will be deleted hence it’s recommended to take backup of old keys to avoid any data loss.
> +
> +Under Security tab,
> +* Enable Secure Boot if disabled. The System Mode will be "User" by default.
> +* Click on "Reset To Setup Mode" to remove existing keys.
> +   Select "Yes" to delete all Secure Boot keys database
> +* The System Mode should change to "Setup" once we delete all Secure Boot keys.
> +
> +Under Save & Exit tab,
> +* Go to "Boot Override" and click on "UEFI: Built-in EFI shell" which will launch the EFI shell.
> +* In the EFI shell, run KeyTool.efi from the USB stick and add all Secure Boot keys from USB. Follow the step-4 from the section [Add Keys to OVMF](#add-keys-to-ovmf) to inject the Secure Boot keys.
> +
> +Exit from the KeyTool.efi and built-in EFI shell to BIOS.
> +
> +Optionally you can confirm the injected keys like below:
> +
> +Under security tab,
> +* Click on "Secure Boot" and then "Key Management" to confirm the injected Secure Boot keys (DB, KEK and PK).
> +
> +Under Save & Exit" tab
> +* Click on "Save Changes & Exit".
> +
> +Now the keys are injected, remove the USB stick.
> +
> +Flash the Secure Boot image to USB stick and insert the USB memory stick to M-COM device.
> +
> +Power on and Press F12 key to Enter BIOS setup.
> +
> +In the BIOS, Configure the device to boot from USB by following below steps
> +
> +Under "Boot" tab,
> +
> +* Select "Boot Option #1" as USB device from the "Boot Option Priorities" section.
> +
> +Under "Save & Exit" tab,
> +
> +* Click on "Save Changes & Exit". The M-COM board starts to boot the image from USB.
> +
> +After boot, check the dmesg for Secure Boot status like below:
> +```
> +root@demo:~# dmesg | grep Secure
> +[    0.008368] Secure boot enabled
> +```

This does not scale if we have to add a device-specific section to this
file for every reference device. Can you write this more generic what
was missing in the setup guide so far?

And for the deployment process, we really need a generic installation
stick. The manual steps should already be described, though.

Jan
Shivanand Kunijadar July 2, 2024, 6:40 a.m. UTC | #2
Hi Jan 

The changes that I have included in the patch file are specific to M-COM device. The steps may or may not be same for other x86 machines.  
As you can see there is separate section for M-COM secure boot which explains about enabling secure boot, injecting keys and verification part. 
If someone who is new to M-COM and if he wants to verify secure boot then this kind of detailed steps are necessary I feel. 
Also these steps will be helpful for BV members if they want to verify secure boot. 

I understand that the current secure boot README is generic so, we have two options now, 

- Create separate REAMDE similar to iwg20m[1] and keep all M-COM specific information     
- Extend the pdf document shared by Benjamin to include secure boot related information, but here maintaining and updating the pdf file is slightly complex. Also we need to check where should we keep this document.  

What do you think about these options, please let me know.      

I have also added an alternate option for keys enrolment using KeyTool.efi with detailed steps. I feel this would be fine in the current Secure Boot readme. 
Please let me know your opinion on this. 

[1] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/doc/README_iwg20m.md?ref_type=heads 

As you mentioned about generic installation stick, right now I don't have much idea on how it will enable secure boot (basically BIOS changes) and inject the keys to M-COM device. 
Once we have that generic installation stick ready then we can think of revising/removing these M-COM device specific steps based on the situation. What do you say?   

Thanks & regards
Shivanand K

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com> 
Sent: Monday, July 1, 2024 1:17 PM
To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>; Quirin Gylstorff <quirin.gylstorff@siemens.com>
Subject: Re: [isar-cip-core] doc/REAME.secureboot.md: Add MCOM specific secure boot details

On 01.07.24 08:40, Shivanand wrote:
> Add separate section to configure and verify secure boot on MCOM device.
> This section includes the detailed steps to enable secure boot via 
> BIOS and inject keys using Keytool.efi and finally the verification part.
> 
> Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com>
> ---
>  doc/README.secureboot.md | 85 
> +++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 84 insertions(+), 1 deletion(-)
> 
> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index 
> 3ae4154..7917207 100644
> --- a/doc/README.secureboot.md
> +++ b/doc/README.secureboot.md
> @@ -322,7 +322,28 @@ The following keys need to be enrolled onto the device:
>  
>  The enrollment can typically be achieved with the help of
>  
> [efi-updatevar](https://manpages.debian.org/bookworm/efitools/efi-upda
> tevar.1.en.html) -on the device. Otherwise, consult the manual of the 
> specific UEFI Firmware.
> +on the device.
> +
> +If the device supports built in EFI shell then the enrollment of keys can also be done by KeyTool.efi tool like below:
> +
> +Format the USB memory stick
> +
> +```
> +host$ sudo mkfs.vfat <usb device>
> +host$ sudo mount -t vfat /dev/<usb device> /mnt/ ```
> +
> +Copy the KeyTool.efi binary and self signed Secure Boot keys to USB 
> +stick
> +
> +Here the folder "keys" contains Secure Boot keys(DB, KEK and PK).
> +```
> +host$ sudo apt install efitools
> +host$ sudo mkdir -p /mnt/efi/boot
> +host$ sudo cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi 
> +/mnt/efi/boot/KeyTool.efi host$ sudo cp -r keys /mnt/ host$ sudo 
> +umount /mnt ``` Launch KeyTool.efi binary from the built in EFI shell 
> +and follow step-4 from the section [Add Keys to OVMF](#add-keys-to-ovmf) to inject Secure Boot keys. Otherwise, consult the manual of the specific UEFI Firmware.
>  
>  Use the recipes [secure-boot-key](###secure-boot-key) to provided the 
> keys  to the signing script contained in @@ -334,3 +355,65 @@ During 
> building a efibootguard based wic image the scripts contained in  the 
> recipe ebg-secure-boot-signer can be used to sign the bootloader and  
> unified kernel image(UKI). If the keys are stored in a HSM the script 
> can  be exchanged to sign the artifacts in a more secure way.
> +
> +### Secure Boot configurations and verification on M-COM(X86)
> +
> +**Note:**
> +* All the steps are specific to M-COM RT X86 V1 device hence consult device specific manual for other devices for Secure Boot verification.
> +
> +Copy KeyTool.efi and UEFI keys into USB stick as mentioned in [Secure 
> +boot key enrollment](#secure-boot-key-enrollment)
> +
> +Insert USB memory stick to M-COM device.
> +
> +Power on and Press F12 key to Enter BIOS setup.
> +
> +**Note:**
> +* if you want to restore the default BIOS settings then Under "Save & 
> +Exit" tab, Click on "Restore User Defaults" and select "Yes" to restore default values.
> +
> +Enable Secure Boot and enter to Setup Mode by following below steps
> +
> +**Note:**
> +* Due to following step, old keys will be deleted hence it’s recommended to take backup of old keys to avoid any data loss.
> +
> +Under Security tab,
> +* Enable Secure Boot if disabled. The System Mode will be "User" by default.
> +* Click on "Reset To Setup Mode" to remove existing keys.
> +   Select "Yes" to delete all Secure Boot keys database
> +* The System Mode should change to "Setup" once we delete all Secure Boot keys.
> +
> +Under Save & Exit tab,
> +* Go to "Boot Override" and click on "UEFI: Built-in EFI shell" which will launch the EFI shell.
> +* In the EFI shell, run KeyTool.efi from the USB stick and add all Secure Boot keys from USB. Follow the step-4 from the section [Add Keys to OVMF](#add-keys-to-ovmf) to inject the Secure Boot keys.
> +
> +Exit from the KeyTool.efi and built-in EFI shell to BIOS.
> +
> +Optionally you can confirm the injected keys like below:
> +
> +Under security tab,
> +* Click on "Secure Boot" and then "Key Management" to confirm the injected Secure Boot keys (DB, KEK and PK).
> +
> +Under Save & Exit" tab
> +* Click on "Save Changes & Exit".
> +
> +Now the keys are injected, remove the USB stick.
> +
> +Flash the Secure Boot image to USB stick and insert the USB memory stick to M-COM device.
> +
> +Power on and Press F12 key to Enter BIOS setup.
> +
> +In the BIOS, Configure the device to boot from USB by following below 
> +steps
> +
> +Under "Boot" tab,
> +
> +* Select "Boot Option #1" as USB device from the "Boot Option Priorities" section.
> +
> +Under "Save & Exit" tab,
> +
> +* Click on "Save Changes & Exit". The M-COM board starts to boot the image from USB.
> +
> +After boot, check the dmesg for Secure Boot status like below:
> +```
> +root@demo:~# dmesg | grep Secure
> +[    0.008368] Secure boot enabled
> +```

This does not scale if we have to add a device-specific section to this file for every reference device. Can you write this more generic what was missing in the setup guide so far?

And for the deployment process, we really need a generic installation stick. The manual steps should already be described, though.

Jan

--
Siemens AG, Technology
Linux Expert Center
Jan Kiszka July 2, 2024, 1:04 p.m. UTC | #3
On 02.07.24 08:40, Shivanand.Kunijadar@toshiba-tsip.com wrote:
> Hi Jan 
> 
> The changes that I have included in the patch file are specific to M-COM device. The steps may or may not be same for other x86 machines.  
> As you can see there is separate section for M-COM secure boot which explains about enabling secure boot, injecting keys and verification part. 
> If someone who is new to M-COM and if he wants to verify secure boot then this kind of detailed steps are necessary I feel. 
> Also these steps will be helpful for BV members if they want to verify secure boot. 
> 
> I understand that the current secure boot README is generic so, we have two options now, 
> 
> - Create separate REAMDE similar to iwg20m[1] and keep all M-COM specific information     

If we really need to document these partially obvious things, they
should go into a separate file, maybe doc/boards/README.m-com-x86.

> - Extend the pdf document shared by Benjamin to include secure boot related information, but here maintaining and updating the pdf file is slightly complex. Also we need to check where should we keep this document.  
> 
> What do you think about these options, please let me know.      
> 
> I have also added an alternate option for keys enrolment using KeyTool.efi with detailed steps. I feel this would be fine in the current Secure Boot readme. 

As a workaround, but I would prefer some automated key enrollment over
READMEs mid-term. Everything except for the BIOS settings to enable
secure boot can be automated, via UEFI or via efitools from Linux.

Jan

> Please let me know your opinion on this. 
> 
> [1] https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/doc/README_iwg20m.md?ref_type=heads 
> 
> As you mentioned about generic installation stick, right now I don't have much idea on how it will enable secure boot (basically BIOS changes) and inject the keys to M-COM device. 
> Once we have that generic installation stick ready then we can think of revising/removing these M-COM device specific steps based on the situation. What do you say?   
> 
> Thanks & regards
> Shivanand K
> 
> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@siemens.com> 
> Sent: Monday, July 1, 2024 1:17 PM
> To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>; Quirin Gylstorff <quirin.gylstorff@siemens.com>
> Subject: Re: [isar-cip-core] doc/REAME.secureboot.md: Add MCOM specific secure boot details
> 
> On 01.07.24 08:40, Shivanand wrote:
>> Add separate section to configure and verify secure boot on MCOM device.
>> This section includes the detailed steps to enable secure boot via 
>> BIOS and inject keys using Keytool.efi and finally the verification part.
>>
>> Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com>
>> ---
>>  doc/README.secureboot.md | 85 
>> +++++++++++++++++++++++++++++++++++++++-
>>  1 file changed, 84 insertions(+), 1 deletion(-)
>>
>> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index 
>> 3ae4154..7917207 100644
>> --- a/doc/README.secureboot.md
>> +++ b/doc/README.secureboot.md
>> @@ -322,7 +322,28 @@ The following keys need to be enrolled onto the device:
>>  
>>  The enrollment can typically be achieved with the help of
>>  
>> [efi-updatevar](https://manpages.debian.org/bookworm/efitools/efi-upda
>> tevar.1.en.html) -on the device. Otherwise, consult the manual of the 
>> specific UEFI Firmware.
>> +on the device.
>> +
>> +If the device supports built in EFI shell then the enrollment of keys can also be done by KeyTool.efi tool like below:
>> +
>> +Format the USB memory stick
>> +
>> +```
>> +host$ sudo mkfs.vfat <usb device>
>> +host$ sudo mount -t vfat /dev/<usb device> /mnt/ ```
>> +
>> +Copy the KeyTool.efi binary and self signed Secure Boot keys to USB 
>> +stick
>> +
>> +Here the folder "keys" contains Secure Boot keys(DB, KEK and PK).
>> +```
>> +host$ sudo apt install efitools
>> +host$ sudo mkdir -p /mnt/efi/boot
>> +host$ sudo cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi 
>> +/mnt/efi/boot/KeyTool.efi host$ sudo cp -r keys /mnt/ host$ sudo 
>> +umount /mnt ``` Launch KeyTool.efi binary from the built in EFI shell 
>> +and follow step-4 from the section [Add Keys to OVMF](#add-keys-to-ovmf) to inject Secure Boot keys. Otherwise, consult the manual of the specific UEFI Firmware.
>>  
>>  Use the recipes [secure-boot-key](###secure-boot-key) to provided the 
>> keys  to the signing script contained in @@ -334,3 +355,65 @@ During 
>> building a efibootguard based wic image the scripts contained in  the 
>> recipe ebg-secure-boot-signer can be used to sign the bootloader and  
>> unified kernel image(UKI). If the keys are stored in a HSM the script 
>> can  be exchanged to sign the artifacts in a more secure way.
>> +
>> +### Secure Boot configurations and verification on M-COM(X86)
>> +
>> +**Note:**
>> +* All the steps are specific to M-COM RT X86 V1 device hence consult device specific manual for other devices for Secure Boot verification.
>> +
>> +Copy KeyTool.efi and UEFI keys into USB stick as mentioned in [Secure 
>> +boot key enrollment](#secure-boot-key-enrollment)
>> +
>> +Insert USB memory stick to M-COM device.
>> +
>> +Power on and Press F12 key to Enter BIOS setup.
>> +
>> +**Note:**
>> +* if you want to restore the default BIOS settings then Under "Save & 
>> +Exit" tab, Click on "Restore User Defaults" and select "Yes" to restore default values.
>> +
>> +Enable Secure Boot and enter to Setup Mode by following below steps
>> +
>> +**Note:**
>> +* Due to following step, old keys will be deleted hence it’s recommended to take backup of old keys to avoid any data loss.
>> +
>> +Under Security tab,
>> +* Enable Secure Boot if disabled. The System Mode will be "User" by default.
>> +* Click on "Reset To Setup Mode" to remove existing keys.
>> +   Select "Yes" to delete all Secure Boot keys database
>> +* The System Mode should change to "Setup" once we delete all Secure Boot keys.
>> +
>> +Under Save & Exit tab,
>> +* Go to "Boot Override" and click on "UEFI: Built-in EFI shell" which will launch the EFI shell.
>> +* In the EFI shell, run KeyTool.efi from the USB stick and add all Secure Boot keys from USB. Follow the step-4 from the section [Add Keys to OVMF](#add-keys-to-ovmf) to inject the Secure Boot keys.
>> +
>> +Exit from the KeyTool.efi and built-in EFI shell to BIOS.
>> +
>> +Optionally you can confirm the injected keys like below:
>> +
>> +Under security tab,
>> +* Click on "Secure Boot" and then "Key Management" to confirm the injected Secure Boot keys (DB, KEK and PK).
>> +
>> +Under Save & Exit" tab
>> +* Click on "Save Changes & Exit".
>> +
>> +Now the keys are injected, remove the USB stick.
>> +
>> +Flash the Secure Boot image to USB stick and insert the USB memory stick to M-COM device.
>> +
>> +Power on and Press F12 key to Enter BIOS setup.
>> +
>> +In the BIOS, Configure the device to boot from USB by following below 
>> +steps
>> +
>> +Under "Boot" tab,
>> +
>> +* Select "Boot Option #1" as USB device from the "Boot Option Priorities" section.
>> +
>> +Under "Save & Exit" tab,
>> +
>> +* Click on "Save Changes & Exit". The M-COM board starts to boot the image from USB.
>> +
>> +After boot, check the dmesg for Secure Boot status like below:
>> +```
>> +root@demo:~# dmesg | grep Secure
>> +[    0.008368] Secure boot enabled
>> +```
> 
> This does not scale if we have to add a device-specific section to this file for every reference device. Can you write this more generic what was missing in the setup guide so far?
> 
> And for the deployment process, we really need a generic installation stick. The manual steps should already be described, though.
> 
> Jan
> 
> --
> Siemens AG, Technology
> Linux Expert Center
Shivanand Kunijadar July 3, 2024, 4:59 a.m. UTC | #4
Hi Jan, 

Thank you for your reply. I would like to have these steps in the repository. 
As you suggested, I will move the M-COM specific configurations and secure boot verification part into separate file (doc/boards/README.m-com-x86.md). 

Regarding the key enrolment, I understand that the automated keys injection is more preferable than the readme steps. 
But I would like to keep these steps until we have the working generic installation stick method. 

So, I will revise and send the v2 patches accordingly.   

Thanks & Regards
Shivanand K

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com> 
Sent: Tuesday, July 2, 2024 6:34 PM
To: kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>; quirin.gylstorff@siemens.com
Subject: Re: [isar-cip-core] doc/REAME.secureboot.md: Add MCOM specific secure boot details

On 02.07.24 08:40, Shivanand.Kunijadar@toshiba-tsip.com wrote:
> Hi Jan
> 
> The changes that I have included in the patch file are specific to M-COM device. The steps may or may not be same for other x86 machines.  
> As you can see there is separate section for M-COM secure boot which explains about enabling secure boot, injecting keys and verification part. 
> If someone who is new to M-COM and if he wants to verify secure boot then this kind of detailed steps are necessary I feel. 
> Also these steps will be helpful for BV members if they want to verify secure boot. 
> 
> I understand that the current secure boot README is generic so, we 
> have two options now,
> 
> - Create separate REAMDE similar to iwg20m[1] and keep all M-COM specific information     

If we really need to document these partially obvious things, they should go into a separate file, maybe doc/boards/README.m-com-x86.

> - Extend the pdf document shared by Benjamin to include secure boot related information, but here maintaining and updating the pdf file is slightly complex. Also we need to check where should we keep this document.  
> 
> What do you think about these options, please let me know.      
> 
> I have also added an alternate option for keys enrolment using KeyTool.efi with detailed steps. I feel this would be fine in the current Secure Boot readme. 

As a workaround, but I would prefer some automated key enrollment over READMEs mid-term. Everything except for the BIOS settings to enable secure boot can be automated, via UEFI or via efitools from Linux.

Jan

> Please let me know your opinion on this. 
> 
> [1] 
> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/blob/master/do
> c/README_iwg20m.md?ref_type=heads
> 
> As you mentioned about generic installation stick, right now I don't have much idea on how it will enable secure boot (basically BIOS changes) and inject the keys to M-COM device. 
> Once we have that generic installation stick ready then we can think of revising/removing these M-COM device specific steps based on the situation. What do you say?   
> 
> Thanks & regards
> Shivanand K
> 
> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@siemens.com>
> Sent: Monday, July 1, 2024 1:17 PM
> To: kunijadar shivanand(TSIP TMIEC ODG Porting) 
> <Shivanand.Kunijadar@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Cc: dinesh kumar(TSIP TMIEC ODG Porting) 
> <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME 
> ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>; Quirin Gylstorff 
> <quirin.gylstorff@siemens.com>
> Subject: Re: [isar-cip-core] doc/REAME.secureboot.md: Add MCOM 
> specific secure boot details
> 
> On 01.07.24 08:40, Shivanand wrote:
>> Add separate section to configure and verify secure boot on MCOM device.
>> This section includes the detailed steps to enable secure boot via 
>> BIOS and inject keys using Keytool.efi and finally the verification part.
>>
>> Signed-off-by: Shivanand <Shivanand.Kunijadar@toshiba-tsip.com>
>> ---
>>  doc/README.secureboot.md | 85
>> +++++++++++++++++++++++++++++++++++++++-
>>  1 file changed, 84 insertions(+), 1 deletion(-)
>>
>> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md 
>> index
>> 3ae4154..7917207 100644
>> --- a/doc/README.secureboot.md
>> +++ b/doc/README.secureboot.md
>> @@ -322,7 +322,28 @@ The following keys need to be enrolled onto the device:
>>  
>>  The enrollment can typically be achieved with the help of
>>  
>> [efi-updatevar](https://manpages.debian.org/bookworm/efitools/efi-upd
>> a
>> tevar.1.en.html) -on the device. Otherwise, consult the manual of the 
>> specific UEFI Firmware.
>> +on the device.
>> +
>> +If the device supports built in EFI shell then the enrollment of keys can also be done by KeyTool.efi tool like below:
>> +
>> +Format the USB memory stick
>> +
>> +```
>> +host$ sudo mkfs.vfat <usb device>
>> +host$ sudo mount -t vfat /dev/<usb device> /mnt/ ```
>> +
>> +Copy the KeyTool.efi binary and self signed Secure Boot keys to USB 
>> +stick
>> +
>> +Here the folder "keys" contains Secure Boot keys(DB, KEK and PK).
>> +```
>> +host$ sudo apt install efitools
>> +host$ sudo mkdir -p /mnt/efi/boot
>> +host$ sudo cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi
>> +/mnt/efi/boot/KeyTool.efi host$ sudo cp -r keys /mnt/ host$ sudo 
>> +umount /mnt ``` Launch KeyTool.efi binary from the built in EFI 
>> +shell and follow step-4 from the section [Add Keys to OVMF](#add-keys-to-ovmf) to inject Secure Boot keys. Otherwise, consult the manual of the specific UEFI Firmware.
>>  
>>  Use the recipes [secure-boot-key](###secure-boot-key) to provided 
>> the keys  to the signing script contained in @@ -334,3 +355,65 @@ 
>> During building a efibootguard based wic image the scripts contained 
>> in  the recipe ebg-secure-boot-signer can be used to sign the 
>> bootloader and unified kernel image(UKI). If the keys are stored in a 
>> HSM the script can  be exchanged to sign the artifacts in a more secure way.
>> +
>> +### Secure Boot configurations and verification on M-COM(X86)
>> +
>> +**Note:**
>> +* All the steps are specific to M-COM RT X86 V1 device hence consult device specific manual for other devices for Secure Boot verification.
>> +
>> +Copy KeyTool.efi and UEFI keys into USB stick as mentioned in 
>> +[Secure boot key enrollment](#secure-boot-key-enrollment)
>> +
>> +Insert USB memory stick to M-COM device.
>> +
>> +Power on and Press F12 key to Enter BIOS setup.
>> +
>> +**Note:**
>> +* if you want to restore the default BIOS settings then Under "Save 
>> +& Exit" tab, Click on "Restore User Defaults" and select "Yes" to restore default values.
>> +
>> +Enable Secure Boot and enter to Setup Mode by following below steps
>> +
>> +**Note:**
>> +* Due to following step, old keys will be deleted hence it’s recommended to take backup of old keys to avoid any data loss.
>> +
>> +Under Security tab,
>> +* Enable Secure Boot if disabled. The System Mode will be "User" by default.
>> +* Click on "Reset To Setup Mode" to remove existing keys.
>> +   Select "Yes" to delete all Secure Boot keys database
>> +* The System Mode should change to "Setup" once we delete all Secure Boot keys.
>> +
>> +Under Save & Exit tab,
>> +* Go to "Boot Override" and click on "UEFI: Built-in EFI shell" which will launch the EFI shell.
>> +* In the EFI shell, run KeyTool.efi from the USB stick and add all Secure Boot keys from USB. Follow the step-4 from the section [Add Keys to OVMF](#add-keys-to-ovmf) to inject the Secure Boot keys.
>> +
>> +Exit from the KeyTool.efi and built-in EFI shell to BIOS.
>> +
>> +Optionally you can confirm the injected keys like below:
>> +
>> +Under security tab,
>> +* Click on "Secure Boot" and then "Key Management" to confirm the injected Secure Boot keys (DB, KEK and PK).
>> +
>> +Under Save & Exit" tab
>> +* Click on "Save Changes & Exit".
>> +
>> +Now the keys are injected, remove the USB stick.
>> +
>> +Flash the Secure Boot image to USB stick and insert the USB memory stick to M-COM device.
>> +
>> +Power on and Press F12 key to Enter BIOS setup.
>> +
>> +In the BIOS, Configure the device to boot from USB by following 
>> +below steps
>> +
>> +Under "Boot" tab,
>> +
>> +* Select "Boot Option #1" as USB device from the "Boot Option Priorities" section.
>> +
>> +Under "Save & Exit" tab,
>> +
>> +* Click on "Save Changes & Exit". The M-COM board starts to boot the image from USB.
>> +
>> +After boot, check the dmesg for Secure Boot status like below:
>> +```
>> +root@demo:~# dmesg | grep Secure
>> +[    0.008368] Secure boot enabled
>> +```
> 
> This does not scale if we have to add a device-specific section to this file for every reference device. Can you write this more generic what was missing in the setup guide so far?
> 
> And for the deployment process, we really need a generic installation stick. The manual steps should already be described, though.
> 
> Jan
> 
> --
> Siemens AG, Technology
> Linux Expert Center

--
Siemens AG, Technology
Linux Expert Center
diff mbox series

Patch

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 3ae4154..7917207 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -322,7 +322,28 @@  The following keys need to be enrolled onto the device:
 
 The enrollment can typically be achieved with the help of
 [efi-updatevar](https://manpages.debian.org/bookworm/efitools/efi-updatevar.1.en.html)
-on the device. Otherwise, consult the manual of the specific UEFI Firmware.
+on the device.
+
+If the device supports built in EFI shell then the enrollment of keys can also be done by KeyTool.efi tool like below:
+
+Format the USB memory stick
+
+```
+host$ sudo mkfs.vfat <usb device>
+host$ sudo mount -t vfat /dev/<usb device> /mnt/
+```
+
+Copy the KeyTool.efi binary and self signed Secure Boot keys to USB stick
+
+Here the folder "keys" contains Secure Boot keys(DB, KEK and PK).
+```
+host$ sudo apt install efitools
+host$ sudo mkdir -p /mnt/efi/boot
+host$ sudo cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi /mnt/efi/boot/KeyTool.efi
+host$ sudo cp -r keys /mnt/
+host$ sudo umount /mnt
+```
+Launch KeyTool.efi binary from the built in EFI shell and follow step-4 from the section [Add Keys to OVMF](#add-keys-to-ovmf) to inject Secure Boot keys. Otherwise, consult the manual of the specific UEFI Firmware.
 
 Use the recipes [secure-boot-key](###secure-boot-key) to provided the keys
 to the signing script contained in
@@ -334,3 +355,65 @@  During building a efibootguard based wic image the scripts contained in
 the recipe ebg-secure-boot-signer can be used to sign the bootloader and
 unified kernel image(UKI). If the keys are stored in a HSM the script can
 be exchanged to sign the artifacts in a more secure way.
+
+### Secure Boot configurations and verification on M-COM(X86)
+
+**Note:**
+* All the steps are specific to M-COM RT X86 V1 device hence consult device specific manual for other devices for Secure Boot verification.
+
+Copy KeyTool.efi and UEFI keys into USB stick as mentioned in [Secure boot key enrollment](#secure-boot-key-enrollment)
+
+Insert USB memory stick to M-COM device.
+
+Power on and Press F12 key to Enter BIOS setup.
+
+**Note:**
+* if you want to restore the default BIOS settings then
+Under "Save & Exit" tab, Click on "Restore User Defaults" and select "Yes" to restore default values.
+
+Enable Secure Boot and enter to Setup Mode by following below steps
+
+**Note:**
+* Due to following step, old keys will be deleted hence it’s recommended to take backup of old keys to avoid any data loss.
+
+Under Security tab,
+* Enable Secure Boot if disabled. The System Mode will be "User" by default.
+* Click on "Reset To Setup Mode" to remove existing keys.
+   Select "Yes" to delete all Secure Boot keys database
+* The System Mode should change to "Setup" once we delete all Secure Boot keys.
+
+Under Save & Exit tab,
+* Go to "Boot Override" and click on "UEFI: Built-in EFI shell" which will launch the EFI shell.
+* In the EFI shell, run KeyTool.efi from the USB stick and add all Secure Boot keys from USB. Follow the step-4 from the section [Add Keys to OVMF](#add-keys-to-ovmf) to inject the Secure Boot keys.
+
+Exit from the KeyTool.efi and built-in EFI shell to BIOS.
+
+Optionally you can confirm the injected keys like below:
+
+Under security tab,
+* Click on "Secure Boot" and then "Key Management" to confirm the injected Secure Boot keys (DB, KEK and PK).
+
+Under Save & Exit" tab
+* Click on "Save Changes & Exit".
+
+Now the keys are injected, remove the USB stick.
+
+Flash the Secure Boot image to USB stick and insert the USB memory stick to M-COM device.
+
+Power on and Press F12 key to Enter BIOS setup.
+
+In the BIOS, Configure the device to boot from USB by following below steps
+
+Under "Boot" tab,
+
+* Select "Boot Option #1" as USB device from the "Boot Option Priorities" section.
+
+Under "Save & Exit" tab,
+
+* Click on "Save Changes & Exit". The M-COM board starts to boot the image from USB.
+
+After boot, check the dmesg for Secure Boot status like below:
+```
+root@demo:~# dmesg | grep Secure
+[    0.008368] Secure boot enabled
+```