| Message ID | 20230502153759.1284906-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Fixes for secure boot | expand |
On 02.05.23 17:37, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This patchset fixes secure-boot and disk-encryption for Debian Buster > by adding the debian buster specific certificates and ajusting the > binaries and dependencies for clevis 16. > > It also fixes the disk encryption for Debian bookworm by adding a > missing dependency to libcryptsetup-token-systemd-tpm2. > > > Changes v4: > - Correct kas command line in README.tpm2.encryption.md > - Fix build of ARM64 and ARM for buster with encryption > This fixes only the build - currently arm64/arm with secure boot > enabled on buster fails during boot with the following message: > > TFTP error: 'Access violation' (2) > Not retrying... > EFI Boot failed! > > - Update Linux kernel config > > Changes v3: > - Activate encryption for buster ci job > - Adjust whitespaces > - Address shellcheck findings > > Changes v2: > - use OVERRIDE and add missing space to linux-cip-common for > encrypt-partitions with Debian buster > > Quirin Gylstorff (7): > secure-boot-secrets: Use distro specific snakeoil certs and keys > initramfs-crypt-hook: Add support for buster > linux: Add missing kernel option for LUKS2 encrpyted partitions on > buster > initramfs-crypt-hook: Add libcryptsetup-token-systemd-tpm2.so > initramfs-crypt-hook/systemd: Address shellcheck findings > .gitlabci: Enable encryption for on buster > doc/README.tpm2.encryption: Correct kas option > > .gitlab-ci.yml | 1 + > doc/README.tpm2.encryption.md | 2 +- > .../secure-boot-secrets/files/bookworm | 1 + > .../files/{ => bullseye}/PkKek-1-snakeoil.key | 0 > .../files/{ => bullseye}/PkKek-1-snakeoil.pem | 0 > .../files/buster/PkKek-1-snakeoil.key | 28 +++++++++++++++++++ > .../files/buster/PkKek-1-snakeoil.pem | 19 +++++++++++++ > .../secure-boot-snakeoil_0.1.bb | 4 +-- > .../files/encrypt_partition.clevis.hook | 28 +++++++++++++++---- > .../files/encrypt_partition.clevis.script | 3 +- > .../files/encrypt_partition.systemd.hook | 3 +- > .../files/encrypt_partition.systemd.script | 28 +++++++++---------- > .../initramfs-crypt-hook_0.1.bb | 5 ++-- > recipes-kernel/linux/linux-cip-common.inc | 2 +- > 14 files changed, 96 insertions(+), 28 deletions(-) > create mode 120000 recipes-devtools/secure-boot-secrets/files/bookworm > rename recipes-devtools/secure-boot-secrets/files/{ => bullseye}/PkKek-1-snakeoil.key (100%) > rename recipes-devtools/secure-boot-secrets/files/{ => bullseye}/PkKek-1-snakeoil.pem (100%) > create mode 100644 recipes-devtools/secure-boot-secrets/files/buster/PkKek-1-snakeoil.key > create mode 100644 recipes-devtools/secure-boot-secrets/files/buster/PkKek-1-snakeoil.pem > Thanks, applied to next. Jan
From: Quirin Gylstorff <quirin.gylstorff@siemens.com> This patchset fixes secure-boot and disk-encryption for Debian Buster by adding the debian buster specific certificates and ajusting the binaries and dependencies for clevis 16. It also fixes the disk encryption for Debian bookworm by adding a missing dependency to libcryptsetup-token-systemd-tpm2. Changes v4: - Correct kas command line in README.tpm2.encryption.md - Fix build of ARM64 and ARM for buster with encryption This fixes only the build - currently arm64/arm with secure boot enabled on buster fails during boot with the following message: TFTP error: 'Access violation' (2) Not retrying... EFI Boot failed! - Update Linux kernel config Changes v3: - Activate encryption for buster ci job - Adjust whitespaces - Address shellcheck findings Changes v2: - use OVERRIDE and add missing space to linux-cip-common for encrypt-partitions with Debian buster Quirin Gylstorff (7): secure-boot-secrets: Use distro specific snakeoil certs and keys initramfs-crypt-hook: Add support for buster linux: Add missing kernel option for LUKS2 encrpyted partitions on buster initramfs-crypt-hook: Add libcryptsetup-token-systemd-tpm2.so initramfs-crypt-hook/systemd: Address shellcheck findings .gitlabci: Enable encryption for on buster doc/README.tpm2.encryption: Correct kas option .gitlab-ci.yml | 1 + doc/README.tpm2.encryption.md | 2 +- .../secure-boot-secrets/files/bookworm | 1 + .../files/{ => bullseye}/PkKek-1-snakeoil.key | 0 .../files/{ => bullseye}/PkKek-1-snakeoil.pem | 0 .../files/buster/PkKek-1-snakeoil.key | 28 +++++++++++++++++++ .../files/buster/PkKek-1-snakeoil.pem | 19 +++++++++++++ .../secure-boot-snakeoil_0.1.bb | 4 +-- .../files/encrypt_partition.clevis.hook | 28 +++++++++++++++---- .../files/encrypt_partition.clevis.script | 3 +- .../files/encrypt_partition.systemd.hook | 3 +- .../files/encrypt_partition.systemd.script | 28 +++++++++---------- .../initramfs-crypt-hook_0.1.bb | 5 ++-- recipes-kernel/linux/linux-cip-common.inc | 2 +- 14 files changed, 96 insertions(+), 28 deletions(-) create mode 120000 recipes-devtools/secure-boot-secrets/files/bookworm rename recipes-devtools/secure-boot-secrets/files/{ => bullseye}/PkKek-1-snakeoil.key (100%) rename recipes-devtools/secure-boot-secrets/files/{ => bullseye}/PkKek-1-snakeoil.pem (100%) create mode 100644 recipes-devtools/secure-boot-secrets/files/buster/PkKek-1-snakeoil.key create mode 100644 recipes-devtools/secure-boot-secrets/files/buster/PkKek-1-snakeoil.pem