| Message ID | 20200821095559.28467-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | secureboot with efibootguard | expand |
On 21.08.20 11:55, Q. Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This patchset adds secureboot with efibootguard to cip-core. > > The image build signs the efibootguard bootloader (bootx64.efi) and generates > a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/). > A unified kernel image packs the kernel, initramfs and the kernel command-line > in one binary object. As the kernel command-line is immutable after the build > process, the previous selection of the root file system with a command-line parameter is no longer > possible. Therefore the selection of the root file-system occurs now in the initramfs. > > The image uses an A/B partition layout to update the root file system. The sample implementation to > select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs. > During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs. > If a match is found the rootfs is used for the boot. > > Changes V2: > > - rebase to [1] > - removed luahandler patch as it now part of [1] > - add handling for sw-description > > Changes V3: > > - rewrite the image id creation to ensure a new uuid is generated if a new package is > added or another change of the rootfs > - add readme section how to execute/test the software update mechnism > - adapt to version v3 of [1] > - update the patch > - add wks file for efibootguard and swupdate > > [1]: a/b rootfsupdate with software update > > Changes V4: > > - rebase onto next 619edb509bd287277749580cbc842e57d5044756 > - fix indent of ./start-qemu.sh > - whitespace fixes > - update libubootenv patch to v2 > - update revision of cip-kernel-config to ca24d965adf77730caf1cd32bdfcffd69e369502 > to boot secureboot with qemu > - swupdate swdescription for non-secure-boot images > > Quirin Gylstorff (6): > linux-cip: Update revision of kernel config > isar-patch: Add initramfs-config patch > secure-boot: select boot partition in initramfs > secure-boot: Add secure boot with unified kernel image > secure-boot: Add Debian snakeoil keys for ease-of-use > doc: Add README for secureboot > > classes/image_uuid.bbclass | 33 +++ > conf/distro/debian-buster-backports.list | 1 + > conf/distro/preferences.ovmf-snakeoil.conf | 3 + > doc/README.secureboot.md | 229 ++++++++++++++++++ > .../0001-u-boot-add-libubootenv.patch | 161 ++++++------ > ...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++ > kas-cip.yml | 3 + > kas/opt/ebg-secure-boot-base.yml | 18 ++ > kas/opt/ebg-secure-boot-snakeoil.yml | 28 +++ > kas/opt/ebg-swu.yml | 4 +- > recipes-core/images/cip-core-image.bb | 12 +- > .../files/secure-boot/sw-description.tmpl | 29 +++ > recipes-core/images/files/sw-description.tmpl | 19 +- > recipes-core/images/secureboot.inc | 21 ++ > recipes-core/images/swupdate.inc | 21 ++ > .../ebg-secure-boot-secrets_0.1.bb | 51 ++++ > .../ebg-secure-boot-secrets/files/README.md | 1 + > .../files/control.tmpl | 12 + > .../files/sign_secure_image.sh.tmpl | 22 ++ > .../ebg-secure-boot-snakeoil_0.1.bb | 34 +++ > .../files/control.tmpl | 12 + > .../files/sign_secure_image.sh | 36 +++ > .../ovmf-binaries/files/control.tmpl | 11 + > .../ovmf-binaries/ovmf-binaries_0.1.bb | 30 +++ > recipes-kernel/linux/linux-cip-common.inc | 2 +- > .../files/initramfs.image_uuid.hook | 33 +++ > .../files/initramfs.lsblk.hook | 29 +++ > .../initramfs-config/files/postinst.ext | 3 + > .../files/secure-boot-debian-local-patch | 79 ++++++ > .../initramfs-abrootfs-secureboot_0.1.bb | 38 +++ > ...enerate-sb-db-from-existing-certificate.sh | 16 ++ > scripts/generate_secure_boot_keys.sh | 51 ++++ > .../wic/plugins/source/efibootguard-boot.py | 87 ++++++- > .../wic/plugins/source/efibootguard-efi.py | 40 ++- > scripts/start-efishell.sh | 12 + > start-qemu.sh | 59 +++-- > wic/ebg-signed-bootloader.inc | 2 + > wic/qemu-amd64-efibootguard-secureboot.wks | 9 + > wic/qemu-amd64-efibootguard.wks | 1 - > 39 files changed, 1330 insertions(+), 129 deletions(-) > create mode 100644 classes/image_uuid.bbclass > create mode 100644 conf/distro/debian-buster-backports.list > create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf > create mode 100644 doc/README.secureboot.md > create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch > create mode 100644 kas/opt/ebg-secure-boot-base.yml > create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml > create mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl > create mode 100644 recipes-core/images/secureboot.inc > create mode 100644 recipes-core/images/swupdate.inc > create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb > create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md > create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl > create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl > create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb > create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl > create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh > create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl > create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb > create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook > create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook > create mode 100644 recipes-support/initramfs-config/files/postinst.ext > create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch > create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb > create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh > create mode 100755 scripts/generate_secure_boot_keys.sh > create mode 100755 scripts/start-efishell.sh > create mode 100644 wic/ebg-signed-bootloader.inc > create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks > I've taken this to next, but this also needs a hook-up with the CI system. Thanks, Jan
From: Quirin Gylstorff <quirin.gylstorff@siemens.com> This patchset adds secureboot with efibootguard to cip-core. The image build signs the efibootguard bootloader (bootx64.efi) and generates a signed [unified kernel image](https://systemd.io/BOOT_LOADER_SPECIFICATION/). A unified kernel image packs the kernel, initramfs and the kernel command-line in one binary object. As the kernel command-line is immutable after the build process, the previous selection of the root file system with a command-line parameter is no longer possible. Therefore the selection of the root file-system occurs now in the initramfs. The image uses an A/B partition layout to update the root file system. The sample implementation to select the root file system generates a uuid and stores the id in /etc/os-release and in the initramfs. During boot the initramfs compares its own uuid with the uuid stored in /etc/os-release of each rootfs. If a match is found the rootfs is used for the boot. Changes V2: - rebase to [1] - removed luahandler patch as it now part of [1] - add handling for sw-description Changes V3: - rewrite the image id creation to ensure a new uuid is generated if a new package is added or another change of the rootfs - add readme section how to execute/test the software update mechnism - adapt to version v3 of [1] - update the patch - add wks file for efibootguard and swupdate [1]: a/b rootfsupdate with software update Changes V4: - rebase onto next 619edb509bd287277749580cbc842e57d5044756 - fix indent of ./start-qemu.sh - whitespace fixes - update libubootenv patch to v2 - update revision of cip-kernel-config to ca24d965adf77730caf1cd32bdfcffd69e369502 to boot secureboot with qemu - swupdate swdescription for non-secure-boot images Quirin Gylstorff (6): linux-cip: Update revision of kernel config isar-patch: Add initramfs-config patch secure-boot: select boot partition in initramfs secure-boot: Add secure boot with unified kernel image secure-boot: Add Debian snakeoil keys for ease-of-use doc: Add README for secureboot classes/image_uuid.bbclass | 33 +++ conf/distro/debian-buster-backports.list | 1 + conf/distro/preferences.ovmf-snakeoil.conf | 3 + doc/README.secureboot.md | 229 ++++++++++++++++++ .../0001-u-boot-add-libubootenv.patch | 161 ++++++------ ...-support-Generate-a-custom-initramfs.patch | 207 ++++++++++++++++ kas-cip.yml | 3 + kas/opt/ebg-secure-boot-base.yml | 18 ++ kas/opt/ebg-secure-boot-snakeoil.yml | 28 +++ kas/opt/ebg-swu.yml | 4 +- recipes-core/images/cip-core-image.bb | 12 +- .../files/secure-boot/sw-description.tmpl | 29 +++ recipes-core/images/files/sw-description.tmpl | 19 +- recipes-core/images/secureboot.inc | 21 ++ recipes-core/images/swupdate.inc | 21 ++ .../ebg-secure-boot-secrets_0.1.bb | 51 ++++ .../ebg-secure-boot-secrets/files/README.md | 1 + .../files/control.tmpl | 12 + .../files/sign_secure_image.sh.tmpl | 22 ++ .../ebg-secure-boot-snakeoil_0.1.bb | 34 +++ .../files/control.tmpl | 12 + .../files/sign_secure_image.sh | 36 +++ .../ovmf-binaries/files/control.tmpl | 11 + .../ovmf-binaries/ovmf-binaries_0.1.bb | 30 +++ recipes-kernel/linux/linux-cip-common.inc | 2 +- .../files/initramfs.image_uuid.hook | 33 +++ .../files/initramfs.lsblk.hook | 29 +++ .../initramfs-config/files/postinst.ext | 3 + .../files/secure-boot-debian-local-patch | 79 ++++++ .../initramfs-abrootfs-secureboot_0.1.bb | 38 +++ ...enerate-sb-db-from-existing-certificate.sh | 16 ++ scripts/generate_secure_boot_keys.sh | 51 ++++ .../wic/plugins/source/efibootguard-boot.py | 87 ++++++- .../wic/plugins/source/efibootguard-efi.py | 40 ++- scripts/start-efishell.sh | 12 + start-qemu.sh | 59 +++-- wic/ebg-signed-bootloader.inc | 2 + wic/qemu-amd64-efibootguard-secureboot.wks | 9 + wic/qemu-amd64-efibootguard.wks | 1 - 39 files changed, 1330 insertions(+), 129 deletions(-) create mode 100644 classes/image_uuid.bbclass create mode 100644 conf/distro/debian-buster-backports.list create mode 100644 conf/distro/preferences.ovmf-snakeoil.conf create mode 100644 doc/README.secureboot.md create mode 100644 isar-patches/v7-0001-meta-support-Generate-a-custom-initramfs.patch create mode 100644 kas/opt/ebg-secure-boot-base.yml create mode 100644 kas/opt/ebg-secure-boot-snakeoil.yml create mode 100644 recipes-core/images/files/secure-boot/sw-description.tmpl create mode 100644 recipes-core/images/secureboot.inc create mode 100644 recipes-core/images/swupdate.inc create mode 100644 recipes-devtools/ebg-secure-boot-secrets/ebg-secure-boot-secrets_0.1.bb create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/README.md create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/control.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-secrets/files/sign_secure_image.sh.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/ebg-secure-boot-snakeoil_0.1.bb create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/control.tmpl create mode 100644 recipes-devtools/ebg-secure-boot-snakeoil/files/sign_secure_image.sh create mode 100644 recipes-devtools/ovmf-binaries/files/control.tmpl create mode 100644 recipes-devtools/ovmf-binaries/ovmf-binaries_0.1.bb create mode 100644 recipes-support/initramfs-config/files/initramfs.image_uuid.hook create mode 100644 recipes-support/initramfs-config/files/initramfs.lsblk.hook create mode 100644 recipes-support/initramfs-config/files/postinst.ext create mode 100644 recipes-support/initramfs-config/files/secure-boot-debian-local-patch create mode 100644 recipes-support/initramfs-config/initramfs-abrootfs-secureboot_0.1.bb create mode 100755 scripts/generate-sb-db-from-existing-certificate.sh create mode 100755 scripts/generate_secure_boot_keys.sh create mode 100755 scripts/start-efishell.sh create mode 100644 wic/ebg-signed-bootloader.inc create mode 100644 wic/qemu-amd64-efibootguard-secureboot.wks