Re: [cip-dev] [isar-cip-core][PATCH v2] README.secureboot: Corrections

["Dinesh Kumar" <dinesh.kumar@toshiba-tsip.com>]

[-- Attachment #1: Type: text/plain, Size: 4656 bytes --]

On Thu, May  6, 2021 at 12:24 AM, Quirin Gylstorff wrote:

>
> 
> 
> On 5/5/21 6:47 PM, Jan Kiszka wrote:
> > Dinesh, your citation settings are broken. When sending plaintext, as it
> > is common on public lists, you need to set the mark "> " at the
> > beginning of all cited line.
> > 
> > On 30.04.21 16:06, Dinesh Kumar wrote:
> >> On Fri, Apr 30, 2021 at 06:19 AM, Quirin Gylstorff wrote:
> >>
> >>      From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> >>
> >>      - Add code block for key insertion for better visibility
> >>      - Correct the template for user-generated keys
> >>      - Add information where to store the keys
> >>
> >>      Add build command for user generated keys
> >>
> >>      Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> >>      ---
> >>
> >>      Changes in V2:
> >>      - remove unnecessary new-lines
> >>
> >>      doc/README.secureboot.md | 20 +++++++++++++++-----
> >>      1 file changed, 15 insertions(+), 5 deletions(-)
> >>
> >>      diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md
> >>      index 84131bb..0996edc 100644
> >>      --- a/doc/README.secureboot.md
> >>      +++ b/doc/README.secureboot.md
> >>      @@ -119,6 +119,7 @@ to the current directory. OVMF_VARS_4M.fd
> >>      contains no keys can be instrumented f
> >>      scripts/start-efishell.sh secureboot-tools
> >>      ```
> >>      4. Start the KeyTool.efi FS0:\KeyTool.efi and execute the the
> >>      following steps:
> >>
> >>      +```
> >>
> >> Do you want to mention qemu-system-x86_64 --version should be 5.2.0 or
> >> higher as default Debian buster has older version of qemu and this step
> >> fails with older version.
> >> Also these steps can't be executed remotely as it launches UI window for
> >> QEMU, so it should be done locally.
> > 
> > Feel free to send a patch (or MR if that is easier) that adjust things,
> > Dinesh.
> > 
> >>
> >>      -> "Edit Keys"
> >>      -> "The Allowed Signatures Database (db)"
> >>      -> "Add New Key"
> >>      @@ -132,35 +133,44 @@ scripts/start-efishell.sh secureboot-tools
> >>      -> "Replace Key(s)"
> >>      -> Change/Confirm device
> >>      -> Select "PK.auth" file
> >>      +```
> >>      5. quit QEMU
> >>
> >>      ### Build image
> >>
> >>      Build the image with a signed efibootguard and unified kernel image
> >>      with the snakeoil keys by executing:
> >>      +
> >>      ```
> >>      kas-container build
> >>     
> kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:kas/opt/ebg-secure-boot-snakeoil.yml
> >>      ```
> >>
> >>      -For user-generated keys, create a new option file. This option file
> >>      could look like this:
> >>      +For user-generated keys, create a new option file in the
> >>      repository. This option file could look like this:
> >>      ```
> >>      header:
> >>      version: 10
> >>      includes:
> >>      - - opt/ebg-swu.yml
> >>      - - opt/ebg-secure-boot-initramfs.yml
> >>      + - kas/opt/ebg-swu.yml
> >>      + - kas/opt/ebg-secure-boot-base.yml
> >>
> >>      local_conf_header:
> >>      secure-boot: |
> >>      IMAGER_BUILD_DEPS += "ebg-secure-boot-secrets"
> >>      IMAGER_INSTALL += "ebg-secure-boot-secrets"
> >>      - user-keys:
> >>      + user-keys: |
> >>      SB_CERTDB = "democertdb"
> >>      SB_VERIFY_CERT = "demo.crt"
> >>      SB_KEY_NAME = "demo"
> >>      ```
> >>
> >>      -Replace `demo` with the name of the user-generated certificates.
> >>      +Replace `demo` with the name of the user-generated certificates.
> 
> I added the following sentence to the README for the keys:
> 
> The formating is off:
> >>      The user-generated certificates
> >>      +need to stored in the folder
> >>      `recipes-devtools/ebg-secure-boot-secrets/files`.
> 
> 
> Dinesh is that sufficient?
   Yes, Quirin, that's sufficient to point it out.
> 
> Quirin
> >>      +
> >>      +Build the image with user-generated keys by executing the command:
> >>      +
> >>      +```
> >>      +kas-container build
> >>      kas-cip.yml:kas/board/qemu-amd64.yml:kas/opt/ebg-swu.yml:<path to
> >>      the new option>.yml
> >>      +```
> >>
> >>      ### Start the image
> >>
> >> Where are you taking care of my below point? I don't see it yet
> >>
> >>      Keys and certs generated by scripts/generate_secure_boot_keys.sh are
> >>      not available to build command, so I have to move them in
> >>      recipes-devtools/ebg-secure-boot-secrets/files/ folder to make it work
> >>
> > 
> > Quirin?
> > 
> > Jan
> > 
>

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6434): https://lists.cip-project.org/g/cip-dev/message/6434
Mute This Topic: https://lists.cip-project.org/mt/82480976/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-