diff mbox series

[isar-cip-core] README.secureboot: Corrections

Message ID 20210430121957.13306-1-Quirin.Gylstorff@siemens.com (mailing list archive)
State Handled Elsewhere
Headers show
Series [isar-cip-core] README.secureboot: Corrections | expand

Commit Message

Quirin Gylstorff April 30, 2021, 12:19 p.m. UTC 
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

- Add code block for key insertion for better visibility
- Correct the template for user-generated keys
- Add information where to store the keys

Add build command for user generated keys

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/README.secureboot.md | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

Comments

Jan Kiszka April 30, 2021, 12:28 p.m. UTC | #1 
On 30.04.21 14:19, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> - Add code block for key insertion for better visibility
> - Correct the template for user-generated keys
> - Add information where to store the keys
> 
> Add build command for user generated keys
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  doc/README.secureboot.md | 23 ++++++++++++++++++-----
>  1 file changed, 18 insertions(+), 5 deletions(-)
> 
> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
> index 84131bb..12787cf 100644
> --- a/doc/README.secureboot.md
> +++ b/doc/README.secureboot.md
> @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
>  scripts/start-efishell.sh secureboot-tools
>  ```
>  4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
> +```
>            -> "Edit Keys"
>               -> "The Allowed Signatures Database (db)"
>                  -> "Add New Key"
> @@ -132,35 +133,47 @@ scripts/start-efishell.sh secureboot-tools
>                  -> "Replace Key(s)"
>                  -> Change/Confirm device
>                  -> Select "PK.auth" file
> +```
>  5. quit QEMU
>  
>  ### Build image
>  
> +
> +

These two look spurious.

>  Build the image with a signed efibootguard and unified kernel image
>  with the snakeoil keys by executing:
> +
>  ```
>  kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
>  ```
>  
> -For user-generated keys, create a new option file. This option file could look like this:
> +For user-generated keys, create a new option file in the repository. This option file could look like this:
>  ```
>  header:
>    version: 10
>    includes:
> -   - opt/ebg-swu.yml
> -   - opt/ebg-secure-boot-initramfs.yml
> +   - kas/opt/ebg-swu.yml
> +   - kas/opt/ebg-secure-boot-base.yml
>  
>  local_conf_header:
>    secure-boot: |
>      IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
>      IMAGER_INSTALL += "ebg-secure-boot-secrets"
> -  user-keys:
> +  user-keys: |
>      SB_CERTDB = "democertdb"
>      SB_VERIFY_CERT = "demo.crt"
>      SB_KEY_NAME = "demo"
>  ```
>  
> -Replace `demo` with the name of the user-generated certificates.
> +Replace `demo` with the name of the user-generated certificates. The user-generated certificates
> +need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
> +
> +Build the image with user-generated keys by executing the command:
> +
> +```
> +kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
> +```
> +

Unneded new-line?

>  
>  ### Start the image
>  
> 

Jan
diff mbox series

Patch

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 84131bb..12787cf 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -119,6 +119,7 @@  to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f
 scripts/start-efishell.sh secureboot-tools
 ```
 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps:
+```
           -> "Edit Keys"
              -> "The Allowed Signatures Database (db)"
                 -> "Add New Key"
@@ -132,35 +133,47 @@  scripts/start-efishell.sh secureboot-tools
                 -> "Replace Key(s)"
                 -> Change/Confirm device
                 -> Select "PK.auth" file
+```
 5. quit QEMU
 
 ### Build image
 
+
+
 Build the image with a signed efibootguard and unified kernel image
 with the snakeoil keys by executing:
+
 ```
 kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
 ```
 
-For user-generated keys, create a new option file. This option file could look like this:
+For user-generated keys, create a new option file in the repository. This option file could look like this:
 ```
 header:
   version: 10
   includes:
-   - opt/ebg-swu.yml
-   - opt/ebg-secure-boot-initramfs.yml
+   - kas/opt/ebg-swu.yml
+   - kas/opt/ebg-secure-boot-base.yml
 
 local_conf_header:
   secure-boot: |
     IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
     IMAGER_INSTALL += "ebg-secure-boot-secrets"
-  user-keys:
+  user-keys: |
     SB_CERTDB = "democertdb"
     SB_VERIFY_CERT = "demo.crt"
     SB_KEY_NAME = "demo"
 ```
 
-Replace `demo` with the name of the user-generated certificates.
+Replace `demo` with the name of the user-generated certificates. The user-generated certificates
+need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`.
+
+Build the image with user-generated keys by executing the command:
+
+```
+kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to the new option>.yml
+```
+
 
 ### Start the image