From patchwork Thu Jun 25 14:10:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quirin Gylstorff X-Patchwork-Id: 11625471 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 577331731 for ; Thu, 25 Jun 2020 14:10:22 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 31BC7206C3 for ; Thu, 25 Jun 2020 14:10:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="qZ78OQ7q" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 31BC7206C3 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=siemens.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+4824+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id sXnIYY4521763x0T2K1uJTpi; Thu, 25 Jun 2020 07:10:22 -0700 X-Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by mx.groups.io with SMTP id smtpd.web11.11422.1593094219811091747 for ; Thu, 25 Jun 2020 07:10:20 -0700 X-Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id 05PEAH8N021243 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Thu, 25 Jun 2020 16:10:17 +0200 X-Received: from md2dvrtc.ad001.siemens.net ([167.87.6.122]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 05PEAFXT000356; Thu, 25 Jun 2020 16:10:16 +0200 From: "Quirin Gylstorff" To: cip-dev@lists.cip-project.org, Jan.Kiszka@siemens.com Cc: Quirin Gylstorff Subject: [cip-dev] [isar-cip-core RFC 0/7] secureboot with efibootguard Date: Thu, 25 Jun 2020 16:10:08 +0200 Message-Id: <20200625141015.31719-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: hc4MRSZFTe2mtMPjNcxL5VuIx4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1593094222; bh=1HBsSIoXOMczCtkK/U4GDNqY8zX72O+lqEmtNu6MyBI=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=qZ78OQ7q95BIRdRK3+rmdLmic7dDHxZYTV9GMibr59BjWfIXHP8ABBVqZMh2YrSDilH hp19ooawoqRfcu8JhFhGku81ilWVswItQaemj7lpKo0neEPXW2lUK44QyV1xNf4WKxslq ejv7Swf8PtqGPXrx5i0QGXmaLid9GJ6FIBk= From: Quirin Gylstorff This patchset adds secureboot with efibootguard to cip-core. The image build signs the efibootguard bootloader (bootx64.efi) and generates a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/). A unified kernel image packs the kernel, initramfs and the kernel command-line in one binary object. As the kernel command-line is immutable after the build process, the previous selection of the root file system with a command-line parameter is no longer possible. Therefore the selection of the root file-system occurs now in the initramfs. The image uses an A/B partition layout to update the root file system. The sample implementation to select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs. During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs. If a match is found the rootfs is used for the boot. Quirin Gylstorff (7): kernel: add fat for qemu-amd64 isar-patch: Add initramfs-config patch secure-boot: select boot partition in initramfs secure-boot: Add secure boot with unified kernel image secure-boot: Add Debian snakeoil keys for ease-of-use swupdate: Add luahandler for secureboot doc: Add README for secureboot classes/image_uuid.bbclass | 29 +++ conf/distro/debian-buster-backports.list | 1 + conf/distro/preferences.ovmf-snakeoil.conf | 3 + doc/README.secureboot.md | 188 ++++++++++++++++ ...-support-Generate-a-custom-initramfs.patch | 208 ++++++++++++++++++ kas/cip.yml | 3 + kas/opt/ebg-secure-boot-base.yml | 30 +++ kas/opt/ebg-secure-boot-snakeoil.yml | 31 +++ kas/opt/qemu-wic.yml | 14 ++ recipes-core/images/cip-core-image.bb | 2 +- .../swupdate/files/swupdate_handlers.lua | 8 +- .../ebg-secure-boot-secrets_0.1.bb | 52 +++++ .../ebg-secure-boot-secrets/files/README.md | 1 + .../files/control.tmpl | 12 + .../files/sign_secure_image.sh.tmpl | 22 ++ .../ebg-secure-boot-snakeoil_0.1.bb | 35 +++ .../files/control.tmpl | 12 + .../files/sign_secure_image.sh | 36 +++ .../ovmf-binaries/files/control.tmpl | 11 + .../ovmf-binaries/ovmf-binaries_0.1.bb | 30 +++ .../linux/files/qemu-amd64_defconfig | 6 + .../files/initramfs.image_uuid.hook | 33 +++ .../files/initramfs.lsblk.hook | 29 +++ .../initramfs-config/files/postinst.ext | 3 + .../files/secure-boot-debian-local-patch | 77 +++++++ .../initramfs-config_0.1-cip.bb | 38 ++++ ...enerate-sb-db-from-existing-certificate.sh | 16 ++ scripts/generate_secure_boot_keys.sh | 51 +++++ .../wic/plugins/source/efibootguard-boot.py | 87 +++++++- .../wic/plugins/source/efibootguard-efi.py | 40 +++- scripts/start-efishell.sh | 12 + start-qemu.sh | 54 ++++- wic/ebg-signed-bootloader.inc | 2 + wic/qemu-amd64-efibootguard.wks | 11 +- 34 files changed, 1157 insertions(+), 30 deletions(-) create mode 100644 classes/image_uuid.bbclass create mode 100644 conf/distro/debian-buster-backports.list create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf create mode 100644 doc/README.secureboot.md create mode 100644 isar-patches/v6-0001-meta-support-Generate-a-custom-initramfs.patch create mode 100644 kas/opt/ebg-secure-boot-base.yml create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml create mode 100644 kas/opt/qemu-wic.yml create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook create mode 100644 recipes-support/initramfs-config/files/postinst.ext create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch create mode 100644 recipes-support/initramfs-config/initramfs-config_0.1-cip.bb create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh create mode 100755 scripts/generate_secure_boot_keys.sh create mode 100755 scripts/start-efishell.sh create mode 100644 wic/ebg-signed-bootloader.inc