| Message ID | 20240529080954.1080468-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [isar-cip-core,v2] Enable secureboot and tpm2 encryption for generic x86 | expand |
On 29.05.24 10:08, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows to build generic x86 targets with disk encryption > and secure boot. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > Changes v2: > - add section about ebg-secure-boot-signer > > Kconfig | 6 +++--- > doc/README.secureboot.md | 30 ++++++++++++++++++++++++++++++ > doc/README.tpm2.encryption.md | 12 ++++++++++++ > 3 files changed, 45 insertions(+), 3 deletions(-) > > diff --git a/Kconfig b/Kconfig > index 334b5c6..364a84e 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -190,7 +190,7 @@ endchoice > > config IMAGE_SECURE_BOOT > bool "Secure boot support" > - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM > + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI > > config KAS_INCLUDE_SWUPDATE_SECBOOT > string > @@ -203,13 +203,13 @@ config KAS_INCLUDE_DELTA_UPDATE > > config IMAGE_DATA_ENCRYPTION > bool "Encrypt data partitions on first boot" > - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM > + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI > help > This enables LUKS encryption for the partitions /var and /home. > > config IMAGE_FULL_ENCRYPTION > bool "Encrypt rootfs and data partitions" > - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM > + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI > select IMAGE_DATA_ENCRYPTION > help > This enables LUKS encryption for all non-boot partitions on first boot. > diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md > index e93266d..f0c46ca 100644 > --- a/doc/README.secureboot.md > +++ b/doc/README.secureboot.md > @@ -290,3 +290,33 @@ sda 8:0 0 6G 0 disk > ├─sda6 8:6 0 1.3G 0 part /home > └─sda7 8:7 0 2.6G 0 part /var > ``` > + > +## Secure boot on Generic UEFI x86 > + > +Secureboot for a generic UEFI x86 target works similar to the QEMU target, > +except the enrollment of the secure boot keys. > + > +### Secure boot key enrollment > + > +> :exclamation:**IMPORTANT** This document is not for generating a Machine Owner Key(MOK). > + > +> :exclamation:**IMPORTANT** Enrollment of secure boot keys must occur > +> in a secure environment. > + > +The following keys need to be enrolled onto the device: > + - The Platform Key (PK) > + - The Key Exchange Key (KEK) > + - Allowed Signatures Database > + > +The enrollment must occur according to the manual of the UEFI Firmware. > + There is actually a standardized way, see https://manpages.org/efi-updatevar. Jan > +Use the recipes [secure-boot-key](###secure-boot-key) to provided the keys > +to the signing script contained in > +[ebg-secure-boot-signer](###ebg-secure-boot-signer). > + > +### [ebg-secure-boot-signer](./recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.2.bb) > + > +During building a efibootguard based wic image the scripts contained in > +the recipe ebg-secure-boot-signer can be used to sign the bootloader and > +unified kernel image(UKI). If the keys are stored in a HSM the script can > +be exchanged to sign the artifacts in a more secure way. > diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md > index 7dc97c0..3f7e89f 100644 > --- a/doc/README.tpm2.encryption.md > +++ b/doc/README.tpm2.encryption.md > @@ -82,3 +82,15 @@ if [ -n "$keyslot" ]; then > systemd-cryptenroll --tpm2-device="$tpm_device" --tpm2-pcrs=7 "$device" > fi > ``` > +# TPM2 based encryption on generic x86 > + > +For a generic x86 platform with TPM2 module the build can be started with: > + > +```bash > +kas-container menu > +``` > + > +The TPM2 module should support: > + - a sha256 pcr bar with the ecc algorithm. > + > +If only a sha1 pcr bar is avaiable the variable `CRYPT_HASH_TYPE` needs to be set to `sha1`.
On 31.05.24 08:19, Jan Kiszka via lists.cip-project.org wrote: > On 29.05.24 10:08, Quirin Gylstorff wrote: >> From: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> >> This allows to build generic x86 targets with disk encryption >> and secure boot. >> >> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> >> --- >> Changes v2: >> - add section about ebg-secure-boot-signer >> >> Kconfig | 6 +++--- >> doc/README.secureboot.md | 30 ++++++++++++++++++++++++++++++ >> doc/README.tpm2.encryption.md | 12 ++++++++++++ >> 3 files changed, 45 insertions(+), 3 deletions(-) >> >> diff --git a/Kconfig b/Kconfig >> index 334b5c6..364a84e 100644 >> --- a/Kconfig >> +++ b/Kconfig >> @@ -190,7 +190,7 @@ endchoice >> >> config IMAGE_SECURE_BOOT >> bool "Secure boot support" >> - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM >> + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI >> >> config KAS_INCLUDE_SWUPDATE_SECBOOT >> string >> @@ -203,13 +203,13 @@ config KAS_INCLUDE_DELTA_UPDATE >> >> config IMAGE_DATA_ENCRYPTION >> bool "Encrypt data partitions on first boot" >> - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM >> + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI >> help >> This enables LUKS encryption for the partitions /var and /home. >> >> config IMAGE_FULL_ENCRYPTION >> bool "Encrypt rootfs and data partitions" >> - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM >> + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI >> select IMAGE_DATA_ENCRYPTION >> help >> This enables LUKS encryption for all non-boot partitions on first boot. >> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md >> index e93266d..f0c46ca 100644 >> --- a/doc/README.secureboot.md >> +++ b/doc/README.secureboot.md >> @@ -290,3 +290,33 @@ sda 8:0 0 6G 0 disk >> ├─sda6 8:6 0 1.3G 0 part /home >> └─sda7 8:7 0 2.6G 0 part /var >> ``` >> + >> +## Secure boot on Generic UEFI x86 >> + >> +Secureboot for a generic UEFI x86 target works similar to the QEMU target, >> +except the enrollment of the secure boot keys. >> + >> +### Secure boot key enrollment >> + >> +> :exclamation:**IMPORTANT** This document is not for generating a Machine Owner Key(MOK). >> + >> +> :exclamation:**IMPORTANT** Enrollment of secure boot keys must occur >> +> in a secure environment. >> + >> +The following keys need to be enrolled onto the device: >> + - The Platform Key (PK) >> + - The Key Exchange Key (KEK) >> + - Allowed Signatures Database >> + >> +The enrollment must occur according to the manual of the UEFI Firmware. >> + > > There is actually a standardized way, see > https://manpages.org/efi-updatevar. > I've tuned that like this while merging: "The enrollment can typically be achieved with the help of [efi-updatevar](https://manpages.debian.org/bookworm/efitools/efi-updatevar.1.en.html) on the device. Otherwise, consult the manual of the specific UEFI Firmware." Thanks, Jan
diff --git a/Kconfig b/Kconfig index 334b5c6..364a84e 100644 --- a/Kconfig +++ b/Kconfig @@ -190,7 +190,7 @@ endchoice config IMAGE_SECURE_BOOT bool "Secure boot support" - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI config KAS_INCLUDE_SWUPDATE_SECBOOT string @@ -203,13 +203,13 @@ config KAS_INCLUDE_DELTA_UPDATE config IMAGE_DATA_ENCRYPTION bool "Encrypt data partitions on first boot" - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI help This enables LUKS encryption for the partitions /var and /home. config IMAGE_FULL_ENCRYPTION bool "Encrypt rootfs and data partitions" - depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM + depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || TARGET_X86_UEFI select IMAGE_DATA_ENCRYPTION help This enables LUKS encryption for all non-boot partitions on first boot. diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index e93266d..f0c46ca 100644 --- a/doc/README.secureboot.md +++ b/doc/README.secureboot.md @@ -290,3 +290,33 @@ sda 8:0 0 6G 0 disk ├─sda6 8:6 0 1.3G 0 part /home └─sda7 8:7 0 2.6G 0 part /var ``` + +## Secure boot on Generic UEFI x86 + +Secureboot for a generic UEFI x86 target works similar to the QEMU target, +except the enrollment of the secure boot keys. + +### Secure boot key enrollment + +> :exclamation:**IMPORTANT** This document is not for generating a Machine Owner Key(MOK). + +> :exclamation:**IMPORTANT** Enrollment of secure boot keys must occur +> in a secure environment. + +The following keys need to be enrolled onto the device: + - The Platform Key (PK) + - The Key Exchange Key (KEK) + - Allowed Signatures Database + +The enrollment must occur according to the manual of the UEFI Firmware. + +Use the recipes [secure-boot-key](###secure-boot-key) to provided the keys +to the signing script contained in +[ebg-secure-boot-signer](###ebg-secure-boot-signer). + +### [ebg-secure-boot-signer](./recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.2.bb) + +During building a efibootguard based wic image the scripts contained in +the recipe ebg-secure-boot-signer can be used to sign the bootloader and +unified kernel image(UKI). If the keys are stored in a HSM the script can +be exchanged to sign the artifacts in a more secure way. diff --git a/doc/README.tpm2.encryption.md b/doc/README.tpm2.encryption.md index 7dc97c0..3f7e89f 100644 --- a/doc/README.tpm2.encryption.md +++ b/doc/README.tpm2.encryption.md @@ -82,3 +82,15 @@ if [ -n "$keyslot" ]; then systemd-cryptenroll --tpm2-device="$tpm_device" --tpm2-pcrs=7 "$device" fi ``` +# TPM2 based encryption on generic x86 + +For a generic x86 platform with TPM2 module the build can be started with: + +```bash +kas-container menu +``` + +The TPM2 module should support: + - a sha256 pcr bar with the ecc algorithm. + +If only a sha1 pcr bar is avaiable the variable `CRYPT_HASH_TYPE` needs to be set to `sha1`.