From patchwork Tue May 23 05:18:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 13252798 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66971C7EE23 for ; Tue, 23 May 2023 18:51:02 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.14352.1684819145635821671 for ; Mon, 22 May 2023 22:19:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=felix.moessbauer@siemens.com header.s=fm1 header.b=Lflfmr6f; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-72506-2023052305190343cd6ebd80ae5e2885-djdgyd@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 2023052305190343cd6ebd80ae5e2885 for ; Tue, 23 May 2023 07:19:03 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=felix.moessbauer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=z38tQrSB0RTxg21Rg6g8oaRQomvSY/mGcfm8yebZHfk=; b=Lflfmr6flg0CG9P5+QmpfamhebXwTnOF/JzZVlLcO0FAs5ofEg01JyJQgct1+rYwGa5fxL 3YNE540iM2OFTAG1uj4iXDPi5gSD3M5rwnHpgu5SpfoKh7W7Q2TThfW0q5uDhjpOHl5xQrn9 kewpHoximUQesALe/ty+n48CEEdrw=; From: Felix Moessbauer To: cip-dev@lists.cip-project.org Cc: jan.kiszka@siemens.com, meng.ding@siemens.com, chengshu.mou@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [isar-cip-core][PATCH 1/3] fix(start-efishell): argument passing to qemu Date: Tue, 23 May 2023 13:18:44 +0800 Message-Id: <20230523051846.1007400-2-felix.moessbauer@siemens.com> In-Reply-To: <20230523051846.1007400-1-felix.moessbauer@siemens.com> References: <20230523051846.1007400-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-72506:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 May 2023 18:51:02 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/11622 In commit 0129baec findings by shellcheck have been adressed. However, this broke the QEMU arguments, as these do not allow to pass quoted strings. By that, the deployment of secoure boot keys was broken. To avoid similar issues in the future, we revert the code, disable the shellcheck warning and add a note on the reason. In addition, the format / driver of the disk is specified explicitly to avoid a warning during startup. Signed-off-by: Felix Moessbauer --- scripts/start-efishell.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/scripts/start-efishell.sh b/scripts/start-efishell.sh index 5ec85e0..fff8a6a 100755 --- a/scripts/start-efishell.sh +++ b/scripts/start-efishell.sh @@ -5,11 +5,14 @@ set -e ovmf_code=${OVMF_CODE:-/usr/share/OVMF/OVMF_CODE_4M.secboot.fd} ovmf_vars=${OVMF_VARS:-./OVMF_VARS_4M.fd} DISK=$1 + +# QEMU is very picky about how arguments are passed (strings must not be quoted). +# shellcheck disable=SC2086 qemu-system-x86_64 -enable-kvm -M q35 -nographic \ -cpu host,hv_relaxed,hv_vapic,hv-spinlocks=0xfff -smp 2 -m 2G -no-hpet \ -global ICH9-LPC.disable_s3=1 \ -global isa-fdc.driveA= \ -boot menu=on \ - -drive if=pflash,format=raw,unit=0,readonly=on,file="${ovmf_code}" \ - -drive if=pflash,format=raw,file="${ovmf_vars}" \ - -drive file=fat:rw:"$DISK" + -drive if=pflash,format=raw,unit=0,readonly=on,file=${ovmf_code} \ + -drive if=pflash,format=raw,file=${ovmf_vars} \ + -drive file=fat:rw:$DISK,driver=vvfat From patchwork Tue May 23 05:18:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 13252799 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7134CC7EE23 for ; Tue, 23 May 2023 18:51:12 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web11.14354.1684819147688439191 for ; Mon, 22 May 2023 22:19:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=felix.moessbauer@siemens.com header.s=fm1 header.b=pXBj72tB; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-72506-202305230519056a07c4a7968197ec48-vnjmth@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202305230519056a07c4a7968197ec48 for ; Tue, 23 May 2023 07:19:06 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=felix.moessbauer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=MSe7Bmqs62U7U/VXRxlvNWQfGhx/BL7cii8eBzZsY3Q=; b=pXBj72tBu1a88lH+xXccKjGkK4s1t5p8zpKLxIfO9XHVgarMNEWiTE2l032BW1zjj2sWu2 bJ8X3SlzFNPXJJl4Rh6Fwk5mPiNcDcJKmrLNnm9injVC5dQKr0anZax/scXo09jO8J2U5SsS Fkx+42qg9EJb5Xdku1GtfBb8RVH2A=; From: Felix Moessbauer To: cip-dev@lists.cip-project.org Cc: jan.kiszka@siemens.com, meng.ding@siemens.com, chengshu.mou@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [isar-cip-core][PATCH 2/3] docs(secureboot): fix logical issues in example Date: Tue, 23 May 2023 13:18:45 +0800 Message-Id: <20230523051846.1007400-3-felix.moessbauer@siemens.com> In-Reply-To: <20230523051846.1007400-1-felix.moessbauer@siemens.com> References: <20230523051846.1007400-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-72506:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 May 2023 18:51:12 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/11623 This patch adapts the provided example to recent code changes in cip-core. Further, it makes the example more precise by using the key prefixes used in generate_secure_boot_keys.sh. Signed-off-by: Felix Moessbauer --- doc/README.secureboot.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index bc238fb..797e913 100644 --- a/doc/README.secureboot.md +++ b/doc/README.secureboot.md @@ -112,7 +112,7 @@ cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi secureboot-tools to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented for secureboot. 3. Start QEMU with the script scripts/start-efishell.sh ``` -scripts/start-efishell.sh secureboot-tools +./scripts/start-efishell.sh secureboot-tools ``` 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps: ``` @@ -120,15 +120,15 @@ scripts/start-efishell.sh secureboot-tools -> "The Allowed Signatures Database (db)" -> "Add New Key" -> Change/Confirm device - -> Select "DB.esl" file + -> Select "demoDB.esl" file -> "The Key Exchange Key Database (KEK)" -> "Add New Key" -> Change/Confirm device - -> Select "KEK.esl" file + -> Select "demoKEK.esl" file -> "The Platform Key (PK) -> "Replace Key(s)" -> Change/Confirm device - -> Select "PK.auth" file + -> Select "demoPK.auth" file ``` 5. quit QEMU @@ -151,22 +151,26 @@ header: local_conf_header: secure-boot-image: | IMAGE_FSTYPES = "wic" + IMAGE_TYPEDEP:wic += "verity" + SWU_ROOTFS_TYPE = "verity" WKS_FILE = "${MACHINE}-efibootguard-secureboot.wks.in" INITRAMFS_INSTALL:append = " initramfs-verity-hook" # abrootfs cannot be installed together with verity INITRAMFS_INSTALL:remove = "initramfs-abrootfs-hook" -local_conf_header: secure-boot: | IMAGER_BUILD_DEPS += "ebg-secure-boot-signer" IMAGER_INSTALL += "ebg-secure-boot-signer" -# Use user-generated keys + # Use user-generated keys PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-key" + secureboot_override: | + OVERRIDES .= ":secureboot" + user-keys: | - SB_CERT = "demo.crt" - SB_KEY = "demo.key" + SB_CERT = "demoDB.crt" + SB_KEY = "demoDB.key" ``` Replace `demo` with the name of the user-generated certificates. The user-generated certificates From patchwork Tue May 23 05:18:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 13252796 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91616C77B75 for ; Tue, 23 May 2023 18:50:52 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web11.14355.1684819161048828539 for ; Mon, 22 May 2023 22:19:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=felix.moessbauer@siemens.com header.s=fm1 header.b=MRKy7Bhm; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-72506-2023052305191833aeb03f1c96cf9546-_4yjvi@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 2023052305191833aeb03f1c96cf9546 for ; Tue, 23 May 2023 07:19:18 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=felix.moessbauer@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=2GkpkKncNUXTWU+DLTkdhX3Ret6lXSOL0TUR47Uf6O0=; b=MRKy7BhmMQw6PCQlICghVeFqZbckX/KhK2dHLoGTOoYFN2EofGgQh2pmBuhjvcywSdipw1 es4/SDDm/y4KslAwLJTQSrcbj2VKfEFlx6hYik8DjTkdTqNVKYYaCD333xxGTYtkPhcIZ2os asSxpq3MIDn0eujpr2+N3WH/djPUc=; From: Felix Moessbauer To: cip-dev@lists.cip-project.org Cc: jan.kiszka@siemens.com, meng.ding@siemens.com, chengshu.mou@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [isar-cip-core][PATCH 3/3] docs(secureboot): make markdown better readable Date: Tue, 23 May 2023 13:18:46 +0800 Message-Id: <20230523051846.1007400-4-felix.moessbauer@siemens.com> In-Reply-To: <20230523051846.1007400-1-felix.moessbauer@siemens.com> References: <20230523051846.1007400-1-felix.moessbauer@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-72506:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 23 May 2023 18:50:52 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/11620 This patch adds the language annotations to all code blocks to enable code highlighting. In addition, code blocks are surrounded by newlines to make it better readable in the non-rendered version. Signed-off-by: Felix Moessbauer --- doc/README.secureboot.md | 54 ++++++++++++++++++++++++++++------------ 1 file changed, 38 insertions(+), 16 deletions(-) diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index 797e913..6546095 100644 --- a/doc/README.secureboot.md +++ b/doc/README.secureboot.md @@ -103,18 +103,23 @@ execute the script `scripts/generate_secure_boot_keys.sh` ##### Add Keys to OVMF 1. Create a folder and copy the generated keys and KeyTool.efi (in Debian the file can be found at: /lib/efitools/x86_64-linux-gnu/KeyTool.efi) to the folder -``` + +```bash mkdir secureboot-tools cp -r keys secureboot-tools cp /lib/efitools/x86_64-linux-gnu/KeyTool.efi secureboot-tools ``` + 2. Copy the file OVMF_VARS_4M.fd (in Debian the file can be found at /usr/share/OVMF/OVMF_VARS_4M.fd) to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented for secureboot. 3. Start QEMU with the script scripts/start-efishell.sh -``` + +```bash ./scripts/start-efishell.sh secureboot-tools ``` + 4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the following steps: + ``` -> "Edit Keys" -> "The Allowed Signatures Database (db)" @@ -130,6 +135,7 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f -> Change/Confirm device -> Select "demoPK.auth" file ``` + 5. quit QEMU ### Build image @@ -137,12 +143,13 @@ to the current directory. OVMF_VARS_4M.fd contains no keys can be instrumented f Build the image with a signed EFI Boot Guard and unified kernel image with the snakeoil keys by executing: -``` +```bash kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-secure-boot-snakeoil.yml ``` For user-generated keys, create a new option file in the repository. This option file could look like this: -``` + +```yaml header: version: 12 includes: @@ -178,7 +185,7 @@ need to stored in the folder `recipes-devtools/ebg-secure-boot-secrets/files`. Build the image with user-generated keys by executing the command: -``` +```bash kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:.yml ``` @@ -187,7 +194,8 @@ kas-container build kas-cip.yml:kas/board/qemu-amd64.yml: \ @@ -209,12 +218,15 @@ OVMF_VARS= \ ``` After boot check the dmesg for secure boot status like below: -``` + +```bash root@demo:~# dmesg | grep Secure [ 0.008368] Secure boot enabled ``` + In case of arm64 or armhf architectures, the secure boot status can be found in bootloader logs like below: -``` + +```bash EFI stub: UEFI Secure Boot is enabled. ``` ## Example: Update the image @@ -223,19 +235,26 @@ For updating the image, the following steps are necessary: - [Build the image with snakeoil keys](#build-image) - save the generated swu `build/tmp/deploy/images/qemu-amd64/cip-core-image-cip-core-bullseye-qemu-amd64.swu` to /tmp - modify the image for example, switch to the RT kernel as modification: -``` + +```bash kas-container build kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-secure-boot-snakeoil.yml:kas/opt/rt.yml ``` + - start the new target -``` + +```bash SECURE_BOOT=y ./start-qemu.sh amd64 ``` + Copy the swu cip-core-image-cip-core-bullseye-qemu-amd64.swu to the running system -``` + +```bash scp -P 22222 /tmp/cip-core-image-cip-core-bullseye-qemu-amd64.swu root@127.0.0.1:/home/ ``` + - check which partition is booted, e.g. with `lsblk`: -``` + +```bash root@demo:~# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 6G 0 disk @@ -250,12 +269,15 @@ sda 8:0 0 6G 0 disk ``` - install the swupdate and reboot the image -``` + +```bash root@demo:~# swupdate -i /home/cip-core-image-cip-core-bullseye-qemu-amd64.swu` root@demo:~# reboot ``` + - check which partition is booted, e.g. with `lsblk`. The rootfs should have changed: -``` + +```bash root@demo:~# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 6G 0 disk