[isar-cip-core,1/2] doc: Add section howto generate the a efi auth file from snakeoil certs

Commit Message

Gylstorff Quirin June 21, 2024, 10:12 a.m. UTC

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This allows to test a physical target with the snakeoil keys.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/README.secureboot.md | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

Comments

Jan Kiszka June 21, 2024, 11:06 a.m. UTC | #1

On 21.06.24 12:12, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This allows to test a physical target with the snakeoil keys.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  doc/README.secureboot.md | 20 +++++++++++++++++---
>  1 file changed, 17 insertions(+), 3 deletions(-)
> 
> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
> index 509de97..c5371ea 100644
> --- a/doc/README.secureboot.md
> +++ b/doc/README.secureboot.md
> @@ -47,8 +47,7 @@ Supply the script name and path to wic by adding
>  
>  #### secure-boot-snakeoil
>  
> -This package uses the snakeoil key and certificate from the ovmf package(0.0~20200229-2)
> -backported from Debian bullseye for signing the image.
> +This package uses the snakeoil key and certificate from the ovmf packagefrom Debian bullseye or later for signing the image.

Missing whitespace.

>  
>  #### secure-boot-key
>  
> @@ -284,7 +283,7 @@ sda              8:0    0     6G  0 disk
>  ├─sda1           8:1    0  16.1M  0 part
>  ├─sda2           8:2    0    32M  0 part
>  ├─sda3           8:3    0    32M  0 part
> -├─sda4           8:4    0     1G  0 part
> +├─sda4           8:4    0     1G  0 party

Party?!? :)

Please re-read your patches once more before sending.

>  ├─sda5           8:5    0     1G  0 part
>  │ └─verityroot 252:0    0 110.9M  1 crypt /
>  ├─sda6           8:6    0   1.3G  0 part  /home
> @@ -295,6 +294,18 @@ sda              8:0    0     6G  0 disk
>  
>  Secureboot for a generic UEFI x86 target works similar to the QEMU target,
>  except the enrollment of the secure boot keys.
> +### Generate keys from Debian snakeoil keys
> +
> +For testing the snakeoil keys from OVMF package can be used to convert the certitificate

And please enable spellchecking in your editor.

> +into a efi authority file use the following commands:
> +```bash
> +cert-to-efi-sig-list recipes-devtools/secure-boot-secrets/files/bookworm/PkKek-1-snakeoil.pem PK.esl
> +sign-efi-sig-list -k recipes-devtools/secure-boot-secrets/files/bookworm/PkKek-1-snakeoil.key -c recipes-devtools/secure-boot-secrets/files/bookworm/PkKek-1-snakeoil.pem PK PK.esl PK.auth
> +```
> +
> +#### Prerequisites
> + The package `efitools` needs to be installed.
> +
>  
>  ### Secure boot key enrollment
>  
> @@ -316,6 +327,9 @@ Use the recipes [secure-boot-key](###secure-boot-key) to provided the keys
>  to the signing script contained in
>  [ebg-secure-boot-signer](###ebg-secure-boot-signer).
>  
> +
> +
> +

Why these newlines?

>  ### [ebg-secure-boot-signer](./recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.2.bb)
>  
>  During building a efibootguard based wic image the scripts contained in

Jan

Jan Kiszka June 21, 2024, 7:48 p.m. UTC | #2

On 21.06.24 12:12, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This allows to test a physical target with the snakeoil keys.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
>  doc/README.secureboot.md | 20 +++++++++++++++++---
>  1 file changed, 17 insertions(+), 3 deletions(-)
> 
> diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
> index 509de97..c5371ea 100644
> --- a/doc/README.secureboot.md
> +++ b/doc/README.secureboot.md
> @@ -47,8 +47,7 @@ Supply the script name and path to wic by adding
>  
>  #### secure-boot-snakeoil
>  
> -This package uses the snakeoil key and certificate from the ovmf package(0.0~20200229-2)
> -backported from Debian bullseye for signing the image.
> +This package uses the snakeoil key and certificate from the ovmf packagefrom Debian bullseye or later for signing the image.
>  
>  #### secure-boot-key
>  
> @@ -284,7 +283,7 @@ sda              8:0    0     6G  0 disk
>  ├─sda1           8:1    0  16.1M  0 part
>  ├─sda2           8:2    0    32M  0 part
>  ├─sda3           8:3    0    32M  0 part
> -├─sda4           8:4    0     1G  0 part
> +├─sda4           8:4    0     1G  0 party
>  ├─sda5           8:5    0     1G  0 part
>  │ └─verityroot 252:0    0 110.9M  1 crypt /
>  ├─sda6           8:6    0   1.3G  0 part  /home
> @@ -295,6 +294,18 @@ sda              8:0    0     6G  0 disk
>  
>  Secureboot for a generic UEFI x86 target works similar to the QEMU target,
>  except the enrollment of the secure boot keys.
> +### Generate keys from Debian snakeoil keys
> +
> +For testing the snakeoil keys from OVMF package can be used to convert the certitificate
> +into a efi authority file use the following commands:
> +```bash
> +cert-to-efi-sig-list recipes-devtools/secure-boot-secrets/files/bookworm/PkKek-1-snakeoil.pem PK.esl
> +sign-efi-sig-list -k recipes-devtools/secure-boot-secrets/files/bookworm/PkKek-1-snakeoil.key -c recipes-devtools/secure-boot-secrets/files/bookworm/PkKek-1-snakeoil.pem PK PK.esl PK.auth
> +```
> +
> +#### Prerequisites
> + The package `efitools` needs to be installed.
> +
>  
>  ### Secure boot key enrollment
>  
> @@ -316,6 +327,9 @@ Use the recipes [secure-boot-key](###secure-boot-key) to provided the keys
>  to the signing script contained in
>  [ebg-secure-boot-signer](###ebg-secure-boot-signer).
>  
> +
> +
> +
>  ### [ebg-secure-boot-signer](./recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.2.bb)
>  
>  During building a efibootguard based wic image the scripts contained in

Massaged and applied to next, thanks.

Jan

Patch

diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
index 509de97..c5371ea 100644
--- a/doc/README.secureboot.md
+++ b/doc/README.secureboot.md
@@ -47,8 +47,7 @@  Supply the script name and path to wic by adding
 
 #### secure-boot-snakeoil
 
-This package uses the snakeoil key and certificate from the ovmf package(0.0~20200229-2)
-backported from Debian bullseye for signing the image.
+This package uses the snakeoil key and certificate from the ovmf packagefrom Debian bullseye or later for signing the image.
 
 #### secure-boot-key
 
@@ -284,7 +283,7 @@  sda              8:0    0     6G  0 disk
 ├─sda1           8:1    0  16.1M  0 part
 ├─sda2           8:2    0    32M  0 part
 ├─sda3           8:3    0    32M  0 part
-├─sda4           8:4    0     1G  0 part
+├─sda4           8:4    0     1G  0 party
 ├─sda5           8:5    0     1G  0 part
 │ └─verityroot 252:0    0 110.9M  1 crypt /
 ├─sda6           8:6    0   1.3G  0 part  /home
@@ -295,6 +294,18 @@  sda              8:0    0     6G  0 disk
 
 Secureboot for a generic UEFI x86 target works similar to the QEMU target,
 except the enrollment of the secure boot keys.
+### Generate keys from Debian snakeoil keys
+
+For testing the snakeoil keys from OVMF package can be used to convert the certitificate
+into a efi authority file use the following commands:
+```bash
+cert-to-efi-sig-list recipes-devtools/secure-boot-secrets/files/bookworm/PkKek-1-snakeoil.pem PK.esl
+sign-efi-sig-list -k recipes-devtools/secure-boot-secrets/files/bookworm/PkKek-1-snakeoil.key -c recipes-devtools/secure-boot-secrets/files/bookworm/PkKek-1-snakeoil.pem PK PK.esl PK.auth
+```
+
+#### Prerequisites
+ The package `efitools` needs to be installed.
+
 
 ### Secure boot key enrollment
 
@@ -316,6 +327,9 @@  Use the recipes [secure-boot-key](###secure-boot-key) to provided the keys
 to the signing script contained in
 [ebg-secure-boot-signer](###ebg-secure-boot-signer).
 
+
+
+
 ### [ebg-secure-boot-signer](./recipes-devtools/ebg-secure-boot-signer/ebg-secure-boot-signer_0.2.bb)
 
 During building a efibootguard based wic image the scripts contained in