| Message ID | 20240528155435.925718-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [isar-cip-core,RFC] enable secureboot and tpm2 encryption for generic x86 | expand |
On 28.05.24 17:51, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows to build generic x86 targets with disk encryption > and secure boot. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > > Kconfig | 6 +++--- > doc/README.secureboot.md | 19 +++++++++++++++++++ > doc/README.tpm2.encryption.md | 12 ++++++++++++ > 3 files changed, 34 insertions(+), 3 deletions(-) > > diff --git a/Kconfig b/Kconfig > index 334b5c6..364a84e 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -190,7 +190,7 @@ endchoice > > config IMAGE_SECURE_BOOT > bool "Secure boot support" > - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM > + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI > > config KAS_INCLUDE_SWUPDATE_SECBOOT > string > @@ -203,13 +203,13 @@ config KAS_INCLUDE_DELTA_UPDATE > > config IMAGE_DATA_ENCRYPTION > bool "Encrypt data partitions on first boot" > - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM > + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI > help > This enables LUKS encryption for the partitions /var and /home. > > config IMAGE_FULL_ENCRYPTION > bool "Encrypt rootfs and data partitions" > - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM > + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI > select IMAGE_DATA_ENCRYPTION > help > This enables LUKS encryption for all non-boot partitions on first boot. > diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md > index e93266d..13e4512 100644 > --- a/doc/README.secureboot.md > +++ b/doc/README.secureboot.md > @@ -290,3 +290,22 @@ sda 8:0 0 6G 0 disk > ├─sda6 8:6 0 1.3G 0 part /home > └─sda7 8:7 0 2.6G 0 part /var > ``` > + > +## Secure boot on Generic UEFI x86 > + > +Secureboot for a generic UEFI x86 target works similar to the QEMU target, > +except the enrollment of the secure boot keys. > + > +### Secure boot key enrollment > + > +> :exclamation:**IMPORTANT** This document is not for generating a Machine Owner Key(MOK). > + > +> :exclamation:**IMPORTANT** Enrollment of secure boot keys must occur > +> in a secure environment. > + > +The following keys need to be enrolled onto the device: > + - The Platform Key (PK) > + - The Key Exchange Key (KEK) > + - Allowed Signatures Database > + > +The enrollment must occur according to the manual of the UEFI Firmware. > diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md > index 7dc97c0..3f7e89f 100644 > --- a/doc/README.tpm2.encryption.md > +++ b/doc/README.tpm2.encryption.md > @@ -82,3 +82,15 @@ if [ -n "$keyslot" ]; then > systemd-cryptenroll --tpm2-device="$tpm_device" --tpm2-pcrs=7 "$device" > fi > ``` > +# TPM2 based encryption on generic x86 > + > +For a generic x86 platform with TPM2 module the build can be started with: > + > +```bash > +kas-container menu > +``` > + > +The TPM2 module should support: > + - a sha256 pcr bar with the ecc algorithm. > + > +If only a sha1 pcr bar is avaiable the variable `CRYPT_HASH_TYPE` needs to be set to `sha1`. Heads-up to security WG as well: this should also work on M-COM, at least with 5.10 kernel (hope we sort out the remaining issue on 6.1 soon). Jan
diff --git a/Kconfig b/Kconfig index 334b5c6..364a84e 100644 --- a/Kconfig +++ b/Kconfig @@ -190,7 +190,7 @@ endchoice config IMAGE_SECURE_BOOT bool "Secure boot support" - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI config KAS_INCLUDE_SWUPDATE_SECBOOT string @@ -203,13 +203,13 @@ config KAS_INCLUDE_DELTA_UPDATE config IMAGE_DATA_ENCRYPTION bool "Encrypt data partitions on first boot" - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI help This enables LUKS encryption for the partitions /var and /home. config IMAGE_FULL_ENCRYPTION bool "Encrypt rootfs and data partitions" - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI select IMAGE_DATA_ENCRYPTION help This enables LUKS encryption for all non-boot partitions on first boot. diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index e93266d..13e4512 100644 --- a/doc/README.secureboot.md +++ b/doc/README.secureboot.md @@ -290,3 +290,22 @@ sda 8:0 0 6G 0 disk ├─sda6 8:6 0 1.3G 0 part /home └─sda7 8:7 0 2.6G 0 part /var ``` + +## Secure boot on Generic UEFI x86 + +Secureboot for a generic UEFI x86 target works similar to the QEMU target, +except the enrollment of the secure boot keys. + +### Secure boot key enrollment + +> :exclamation:**IMPORTANT** This document is not for generating a Machine Owner Key(MOK). + +> :exclamation:**IMPORTANT** Enrollment of secure boot keys must occur +> in a secure environment. + +The following keys need to be enrolled onto the device: + - The Platform Key (PK) + - The Key Exchange Key (KEK) + - Allowed Signatures Database + +The enrollment must occur according to the manual of the UEFI Firmware. diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index 7dc97c0..3f7e89f 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -82,3 +82,15 @@ if [ -n "$keyslot" ]; then systemd-cryptenroll --tpm2-device="$tpm_device" --tpm2-pcrs=7 "$device" fi ``` +# TPM2 based encryption on generic x86 + +For a generic x86 platform with TPM2 module the build can be started with: + +```bash +kas-container menu +``` + +The TPM2 module should support: + - a sha256 pcr bar with the ecc algorithm. + +If only a sha1 pcr bar is avaiable the variable `CRYPT_HASH_TYPE` needs to be set to `sha1`.